LoFP LoFP / this search will provide information for investigation and hunting of lookup creation via user-supplied xslt which may be indications of possible exploitation. there will be false positives as it is not possible to detect the payload executed via this exploit.

Techniques

Sample rules

Splunk App for Lookup File Editing RCE via User XSLT

Description

The following analytic identifies the creation of lookup files in Splunk, which could indicate an attempt to exploit remote code execution via user-supplied XSLT. It leverages REST API queries to monitor the creation of these lookups, focusing on fields such as title, author, and access control lists. This activity is significant because it targets a known vulnerability in Splunk versions 9.1.x, potentially allowing attackers to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, compromising the integrity and security of the Splunk environment.

Detection logic


| rest splunk_server=local /services/data/lookup-table-files/ 
| fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data 
| `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`