Techniques
Sample rules
Splunk App for Lookup File Editing RCE via User XSLT
- source: splunk
- technicques:
- T1210
Description
This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x.
Detection logic
| rest splunk_server=local /services/data/lookup-table-files/
| fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data
| `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`