ID | Technique | Tactic |
---|---|---|
T1499 | Endpoint Denial of Service | Impact |
Detection: Splunk Improperly Formatted Parameter Crashes splunkd
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic detects the execution of improperly formatted INGEST_EVAL parameters in Splunk Enterprise, which can crash the splunkd service. It leverages the Splunk_Audit.Search_Activity datamodel to identify ad-hoc searches containing specific keywords. This activity is significant because it can disrupt Splunk operations, leading to potential data loss and service downtime. If confirmed malicious, an attacker could exploit this to cause a denial of service, impacting the availability and reliability of the Splunk environment.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search="*makeresults*"AND Search_Activity.search="*ingestpreview*transforms*") Search_Activity.search_type=adhoc Search_Activity.search!="*splunk_improperly_formatted_parameter_crashes_splunkd_filter*" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type
3| `drop_dm_object_name(Search_Activity)`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `splunk_improperly_formatted_parameter_crashes_splunkd_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
N/A | N/A | N/A | N/A | N/A |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
splunk_improperly_formatted_parameter_crashes_splunkd_filter | search * |
splunk_improperly_formatted_parameter_crashes_splunkd_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.
Known False Positives
This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
An attempt to exploit ingest eval parameter was detected from $user$ | 100 | 100 | 100 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | Not Applicable | N/A | N/A | N/A |
Unit | ❌ Failing | N/A | N/A |
N/A |
Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2