Techniques
Sample rules
Splunk App for Lookup File Editing RCE via User XSLT
- source: splunk
- technicques:
Description
The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.
Detection logic
| rest splunk_server=local /services/data/lookup-table-files/
| fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data
| `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`