/
splunk_es_dos_investigations_manager_via_investigation_creation.yml
54 lines (54 loc) · 2.2 KB
/
splunk_es_dos_investigations_manager_via_investigation_creation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Splunk ES DoS Investigations Manager via Investigation Creation
id: 7f6a07bd-82ef-46b8-8eba-802278abd00e
version: 1
date: '2024-01-04'
author: Rod Soto, Eric McGinnis, Chase Franklin
status: production
type: TTP
data_source:
- Splunk
description: In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.
search: '`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error | stats count min(_time) as firstTime max(_time) as lastTime by user host method msg
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_es_dos_investigations_manager_via_investigation_creation_filter`'
how_to_implement: This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.
known_false_positives: The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.
references:
- https://advisory.splunk.com/advisories/SVD-2024-0102
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 100
impact: 100
message: Denial of Service Attack against Splunk ES Investigation Manager by $user$
cve:
- CVE-2024-22165
mitre_attack_id:
- T1499
observable:
- name: user
type: User
role:
- Victim
- name: host
type: Hostname
role:
- Victim
product:
- Splunk Enterprise Security
risk_score: 100
required_fields:
- method
- msg
- status
- user
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/splunk_cve_2024_22165_investigation_rest_handler.log
source: /opt/splunk/var/log/splunk/investigation_handler.log
sourcetype: investigation_rest_handler
custom_index: _internal