-
Notifications
You must be signed in to change notification settings - Fork 357
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update dist/escu, dist/ssa, and dist/api folders with the latest cont…
…ent associated with this tag
- Loading branch information
research bot
committed
Jul 31, 2023
1 parent
2b4e96f
commit 9eca1c2
Showing
14 changed files
with
69 additions
and
20 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
@@ -575,6 +575,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_at | |
known_false_positives = This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. | ||
providing_technologies = null | ||
|
||
[savedsearch://ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule] | ||
type = detection | ||
asset_type = Endpoint | ||
confidence = medium | ||
explanation = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. | ||
how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. | ||
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} | ||
known_false_positives = This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. | ||
providing_technologies = null | ||
|
||
[savedsearch://ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule] | ||
type = detection | ||
asset_type = Endpoint | ||
|
@@ -15547,7 +15557,7 @@ version = 1 | |
references = ["https://www.splunk.com/en_us/product-security/announcements.html"] | ||
maintainers = [{"company": "Splunk", "email": "-", "name": "Lou Stella"}] | ||
spec_version = 3 | ||
searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"] | ||
searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"] | ||
description = Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product. | ||
narrative = This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
[content-version] | ||
version = 4.7.0 | ||
version = 4.8.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
@@ -225,6 +225,10 @@ description = Update this macro to limit the output results to filter out false | |
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[splunk_unauthenticated_log_injection_web_service_log_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
||
[splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter] | ||
definition = search * | ||
description = Update this macro to limit the output results to filter out false positives. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
@@ -2227,6 +2227,41 @@ realtime_schedule = 0 | |
is_visible = false | ||
search = `splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter` | ||
|
||
[ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule] | ||
action.escu = 0 | ||
action.escu.enabled = 1 | ||
description = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. | ||
action.escu.mappings = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} | ||
action.escu.data_models = [] | ||
action.escu.eli5 = An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server. | ||
action.escu.how_to_implement = This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index. | ||
action.escu.known_false_positives = This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. | ||
action.escu.creation_date = 2023-07-13 | ||
action.escu.modification_date = 2023-07-13 | ||
action.escu.confidence = high | ||
action.escu.full_search_name = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule | ||
action.escu.search_type = detection | ||
action.escu.product = ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"] | ||
action.escu.providing_technologies = null | ||
action.escu.analytic_story = ["Splunk Vulnerabilities"] | ||
cron_schedule = 0 * * * * | ||
dispatch.earliest_time = -70m@m | ||
dispatch.latest_time = -10m@m | ||
action.correlationsearch.enabled = 1 | ||
action.correlationsearch.label = ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule | ||
action.correlationsearch.annotations = {"analytic_story": ["Splunk Vulnerabilities"], "cis20": ["CIS 10"], "confidence": 30, "cve": ["CVE-2023-32712"], "impact": 30, "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} | ||
schedule_window = auto | ||
alert.digest_mode = 1 | ||
disabled = true | ||
enableSched = 1 | ||
allow_skew = 100% | ||
counttype = number of events | ||
relation = greater than | ||
quantity = 0 | ||
realtime_schedule = 0 | ||
is_visible = false | ||
search = `splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter` | ||
|
||
[ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule] | ||
action.escu = 0 | ||
action.escu.enabled = 1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
############# | ||
# Automatically generated by generator.py in splunk/security_content | ||
# On Date: 2023-07-25T20:31:22 UTC | ||
# On Date: 2023-07-31T16:26:39 UTC | ||
# Author: Splunk Security Research | ||
# Contact: [email protected] | ||
############# | ||
|
Oops, something went wrong.