/
splunk_risky_command_abuse_disclosed_february_2023.yml
92 lines (92 loc) · 3.28 KB
/
splunk_risky_command_abuse_disclosed_february_2023.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Splunk risky Command Abuse disclosed february 2023
id: ee69374a-d27e-4136-adac-956a96ff60fd
version: 2
date: '2024-01-22'
author: Chase Franklin, Rod Soto, Eric McGinnis, Splunk
status: production
type: Hunting
description: This search looks for a variety of high-risk commands throughout
a number of different Splunk Vulnerability Disclosures. Please refer to the
following URL for additional information on these disclosures - https://advisory.splunk.com
data_source:
- Splunk
search: '| tstats fillnull_value="N/A" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity
where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user
by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user
Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command
splunk_risky_command as search output splunk_risky_command description vulnerable_versions
CVE other_metadata | where splunk_risky_command != "false"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_risky_command_abuse_disclosed_february_2023_filter`'
how_to_implement: Requires implementation of Splunk_Audit.Search_Activity datamodel.
known_false_positives: This search encompasses many commands.
references:
- https://www.splunk.com/en_us/product-security.html
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Splunk Server
confidence: 50
cve:
- CVE-2023-22931
- CVE-2023-22934
- CVE-2023-22935
- CVE-2023-22936
- CVE-2023-22939
- CVE-2023-22940
- CVE-2023-40598
- CVE-2023-40598
- CVE-2023-46214
- CVE-2024-23676
impact: 50
message: Use of risky splunk command $splunk_risky_command$ detected by $user$
mitre_attack_id:
- T1548
- T1202
observable:
- name: user
type: User
role:
- Attacker
- name: splunk_risky_command
type: Other
role:
- Other
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- search
- info
- user
- search_type
- count
risk_score: 25
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_createrss_command_abuse.log
source: audittrail
sourcetype: audittrail
custom_index: _audit
- name: True Positive Test runshellscript abuse
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_runshellscript_abuse.log
source: audittrail
sourcetype: audittrail
custom_index: _audit
- name: True Positive Test Additional runshellscript abuse
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/splunk/splunk_cmd_injection_using_external_lookups_audittrail.log
source: audittrail
sourcetype: audittrail
custom_index: _audit
- name: True Positive Test mrollup abuse
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/splunk/splunk_mrollup_abuse_audittrail.log
source: audittrail
sourcetype: audittrail
custom_index: _audit