this search may produce false positives. this detection does not require you to ingest any new data. the detection does require the ability to search the _audit index. special attention must be paid to \"/en-us/app/search/analytics_workspace?sid=[sid]\" which is where the malicious code will be inserted to trigger attack at victim.

t1567
endpoint
splunk

Techniques

T1567

Sample rules

Splunk Data exfiltration from Analytics Workspace using sid query

source: splunk
technicques:
- T1567

Description

This hunting search allows operator to discover attempts to exfiltrate data by executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to compel a victim to initiate a request within their browser (phishing). The attacker cannot exploit the vulnerability at will.

Detection logic

`audit_searches` info=granted search NOT ("audit_searches") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))
| eval warning=if(match(search,"\\\\\""), "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") 
| table search, user, warning, timestamp 
| `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`