/
splunk_unauthenticated_log_injection_web_service_log.yml
55 lines (54 loc) · 2.22 KB
/
splunk_unauthenticated_log_injection_web_service_log.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Splunk Unauthenticated Log Injection Web Service Log
id: de3908dc-1298-446d-84b9-fa81d37e959b
version: 1
date: '2023-07-13'
author: Rod Soto
status: production
type: Hunting
data_source:
- Splunk
description: An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server.
search: '`splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`'
how_to_implement: This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.
known_false_positives: This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters.
references:
- https://advisory.splunk.com/advisories/SVD-2023-0606
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 30
impact: 30
message: Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$
cve:
- CVE-2023-32712
mitre_attack_id:
- T1190
observable:
- name: host
type: Hostname
role:
- Victim
- name: clientip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 9
required_fields:
- method
- uri_path
- host
- status
- clientip
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/web_access.log
source: /opt/splunk/var/log/splunk/web_access.log
custom_index: _internal
sourcetype: splunk_web_access