splunk_xss_in_monitoring_console.yml

name: Splunk XSS in Monitoring Console
id: b11accac-6fa3-4103-8a1a-7210f1a67087
version: 1
date: '2022-04-27'
author: Lou Stella, Splunk
status: experimental
type: TTP
description: On May 3rd, 2022, Splunk published a security advisory for a reflective
  Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation
  in the Distributed Monitoring Console app. This detection will alert on attempted
  exploitation in patched versions of Splunk as well as actual exploitation in unpatched
  version of Splunk.
data_source: []
search: ' `splunkd_web` method="GET" uri_query="description=%3C*" | table _time host
  status clientip user uri | `splunk_xss_in_monitoring_console_filter`'
how_to_implement: This detection does not require you to ingest any new data. The
  detection does require the ability to search the _internal index. This detection
  will find attempted exploitation of CVE-2022-27183.
known_false_positives: Use of the monitoring console where the less-than sign (<)
  is the first character in the description field.
references:
- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html
tags:
  analytic_story:
  - Splunk Vulnerabilities
  asset_type: Endpoint
  confidence: 80
  cve:
  - CVE-2022-27183
  impact: 50
  message: A potential XSS attempt has been detected from $user$
  mitre_attack_id:
  - T1189
  observable:
  - name: host
    type: Hostname
    role:
    - Victim
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - method
  - uri_query
  - status
  - clientip
  - user
  - uri
  risk_score: 40
  security_domain: threat
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log
    source: /opt/splunk/var/log/splunk/web_access.log
    sourcetype: splunk_web_access