/
splunk_list_all_nonstandard_admin_accounts.yml
57 lines (57 loc) · 2.22 KB
/
splunk_list_all_nonstandard_admin_accounts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Splunk list all nonstandard admin accounts
id: 401d689c-8596-4c6b-a710-7b6fdca296d3
version: 1
date: '2023-02-07'
author: Rod Soto
status: experimental
type: Hunting
description: 'This search will enumerate all Splunk Accounts with administrative rights
on this instance. It deliberately ignores the default admin account since this
is assumed to be present. This search may help in a detection the Cross-Site Scripting
Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a
View allows for Cross-Site Scripting in an XML View through the ''layoutPanel''
attribute in the ''module'' tag. The vulnerability affects instances with Splunk
Web enabled.'
data_source:
- Splunk
search: '| rest splunk_server=local /services/authentication/users |search capabilities=admin*
OR imported_capabilities=admin* title!=admin | table title roles capabilities splunk_server
| `splunk_list_all_nonstandard_admin_accounts_filter`'
how_to_implement: The user running this search is required to have a permission allowing
them to dispatch REST requests to indexers (the `dispatch_rest_to_indexers` capability)
in some architectures. If there have been admin account, in addition to the standard
admin account, intentionally created on this server, then edit the filter macro
to exclude them.
known_false_positives: It is not possible to discern from the user table whether or
not users with admin rights have been created intentionally, accidentally, or as
a result of exploitation. Each user with these rights should be investigated and,
if legitimate, added to the filter macro above. If a user is not believed to be
legitimate, then further investigation should take place.
references:
- https://www.splunk.com/en_us/product-security.html
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 50
cve:
- CVE-2023-22933
impact: 50
message: Potential stored XSS attempt from $host$
mitre_attack_id:
- T1189
observable:
- name: splunk_server
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- capabilities
- splunk_server
- title
risk_score: 25
security_domain: endpoint