Update to new search after dynamic testing and refinement.

splunk · Oct 2, 2023 · a00fce8 · a00fce8
1 parent aa36649
commit a00fce8
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/detections/application/splunk_rce_via_serialized_session_payload.yml b/detections/application/splunk_rce_via_serialized_session_payload.yml
@@ -11,8 +11,12 @@ description: In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1,
   submit a serialized payload that can result in execution of code within the payload. Please refer to the
   following URL for additional information on these disclosures - https://advisory.splunk.com
 data_source: []
-search: '`audit_searches` | `splunk_rce_via_serialized_session_payload_filter`'
-how_to_implement: Requires implementation of Splunk_Audit.Search_Activity datamodel.
+search: '`audit_searches` source=audittrail file=* (search="*makeresults*" AND search="*collect*")
+  | stats count min(_time) as firstTime max(_time) as lastTime by action file user splunk_server search
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `splunk_rce_via_serialized_session_payload_filter`'
+how_to_implement: Requires access to the _audit index.
 known_false_positives: There are numerous many uses of the 'makeresults' and 'collect' SPL commands. 
   Please evaluate the results of this search for potential abuse.
 references: