Techniques
Sample rules
Splunk RCE via User XSLT
- source: splunk
- technicques:
- T1210
Description
This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x.
Detection logic
`splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR uri="*dispatch*.xsl*") AND uri!= "*splunkd_ui*"
| rex field=uri "(?<string>=\s*([\S\s]+))"
| eval decoded_field=urldecode(string)
| eval action=case(match(status,"200"),"Allowed",match(status,"303
|500
|401
|403
|404
|301
|406"),"Blocked",1=1,"Unknown")
| stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host
| rename clientip as src, uri as dest_uri
| iplocation src
| fillnull value="N/A"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field