this search will provide information for investigation and hunting of lookup creation via user-supplied xslt which may be indications of possible exploitation. there will be false positives as it is not possible to detect the payload executed via this exploit.

t1210
endpoint
splunk

Techniques

T1210

Sample rules

Splunk App for Lookup File Editing RCE via User XSLT

source: splunk
technicques:
- T1210

Description

This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x.

Detection logic


| rest splunk_server=local /services/data/lookup-table-files/ 
| fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data 
| `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`