this search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-us/splunkd/__raw/servicesns/*/launcher/datamodel/model\" which is the injection point.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Splunk Stored XSS via Data Model objectName field

source: splunk
technicques:
- T1189

Description

Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model.

Detection logic

`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null 
| stats count by _time host status clientip user uri 
| `splunk_stored_xss_via_data_model_objectname_field_filter`