/
splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml
62 lines (62 loc) · 2.17 KB
/
splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
id: baa41f09-df48-4375-8991-520beea161be
version: 1
date: '2022-10-11'
author: Rod Soto
status: production
type: Hunting
description: This hunting search provides information on possible exploitation attempts
against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0,
8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands
remotely through the use of specially crafted requests to the mobile alerts feature
in the Splunk Secure Gateway app.
data_source:
- Splunk
search: '`splunkda` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*"
sort="notification.created_at:-1" | table clientip file host method uri_query sort
| `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`'
how_to_implement: This search only applies if Splunk Mobile Gateway is deployed in
the vulnerable Splunk versions.
known_false_positives: This detection does not require you to ingest any new data.
The detection does require the ability to search the _internal index. Focus of this
search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*"
which is the injection point.
references:
- https://www.splunk.com/en_us/product-security.html
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 90
cve:
- CVE-2022-43567
impact: 90
message: Possible exploitation attempt from $clientip$
mitre_attack_id:
- T1210
observable:
- name: clientip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- uri_path
- clientip
- file
- host
- method
- sort
risk_score: 81
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt
source: /opt/splunk/var/log/splunk/splunkd_access.log
sourcetype: splunkd_access
custom_index: _internal
update_timestamp: true