this search may find additional path traversal exploitation attempts.

t1083
endpoint
splunk

Techniques

T1083

Sample rules

Path traversal SPL injection

source: splunk
technicques:
- T1083

Description

On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries.

Detection logic

 `path_traversal_spl_injection` 
| search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"  
| stats count by host status clientip method uri_path uri_query 
| `path_traversal_spl_injection_filter`