Detection: Splunk SG Information Disclosure for Low Privs User

Updated Date: 2024-10-17 ID: 0a3d6035-7bef-4dfa-b01e-84349edac3b4 Author: Rod Soto Type: Hunting Product: Splunk Enterprise Security

Description

In Splunk Enterprise versions below 9.3.0, 9.2.1 and 9.1.6, and Splunk Secure Gateway versions on Splunk Cloud Platform versions below 3.4.259, 3.6.17, and 3.7.0, a low-privileged user that does not hold the “admin” or “power” Splunk roles can see App Key Value Store (KV Store) deployment configuration and public/private keys in the Splunk Secure Gateway App.

Search

1`splunkd_ui` uri_path="*/splunkd/__raw/services/ssg/kvstore/*" user!=admin user!="-"   
2
3| stats count by clientip user method uri_path 
4
5| `splunk_sg_information_disclosure_for_low_privs_user_filter`

Data Source

Name	Platform	Sourcetype	Source
Splunk	Splunk	`'splunkd_ui_access'`	`'splunkd_ui_access.log'`

Macros Used

Name	Value
splunkd_ui	`index=_internal sourcetype=splunkd_ui_access`
splunk_sg_information_disclosure_for_low_privs_user_filter	`search *`

splunk_sg_information_disclosure_for_low_privs_user_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1087	Account Discovery	Discovery

KillChainPhase.EXPLOITAITON

NistCategory.DE_AE

Cis18Value.CIS_10

Aquatic Panda

FIN13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	False

This configuration file applies to all detections of type hunting.

Implementation

Requires access to internal indexes.

Known False Positives

This is a hunting search and will produce false positives, the focus of this search must be on unusual requests towards the Splunk Secure Gateway from a non administrator user.

Associated Analytic Story

Splunk Vulnerabilities

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Potential exposure of Splunk Security Gateway sensitive information by $user$	40	80	50

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://advisory.splunk.com/advisories/SVD-2024-1005

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	N/A	`N/A`	`N/A`
Integration	✅ Passing	N/A	`N/A`	`N/A`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2