/
splunk_xss_in_monitoring_console.yml
57 lines (57 loc) · 1.88 KB
/
splunk_xss_in_monitoring_console.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Splunk XSS in Monitoring Console
id: b11accac-6fa3-4103-8a1a-7210f1a67087
version: 1
date: '2022-04-27'
author: Lou Stella, Splunk
status: experimental
type: TTP
description: On May 3rd, 2022, Splunk published a security advisory for a reflective
Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation
in the Distributed Monitoring Console app. This detection will alert on attempted
exploitation in patched versions of Splunk as well as actual exploitation in unpatched
version of Splunk.
data_source: []
search: ' `splunkd_web` method="GET" uri_query="description=%3C*" | table _time host
status clientip user uri | `splunk_xss_in_monitoring_console_filter`'
how_to_implement: This detection does not require you to ingest any new data. The
detection does require the ability to search the _internal index. This detection
will find attempted exploitation of CVE-2022-27183.
known_false_positives: Use of the monitoring console where the less-than sign (<)
is the first character in the description field.
references:
- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 80
cve:
- CVE-2022-27183
impact: 50
message: A potential XSS attempt has been detected from $user$
mitre_attack_id:
- T1189
observable:
- name: host
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- method
- uri_query
- status
- clientip
- user
- uri
risk_score: 40
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log
source: /opt/splunk/var/log/splunk/web_access.log
sourcetype: splunk_web_access