Detection: Splunk Command and Scripting Interpreter Risky SPL MLTK

Updated Date: 2024-10-16 ID: 19d0146c-2eae-4e53-8d39-1198a78fa9ca Author: Abhinav Mishra, Kumar Sharad and Xiao Lin, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies the execution of risky SPL commands with abnormally long run times by leveraging a machine learning model named "risky_command_abuse." It uses the Splunk Audit data model to compare current search activities against a baseline of the past seven days. This activity is significant for a SOC as it can indicate potential misuse or abuse of powerful SPL commands, which could lead to unauthorized data access or system manipulation. If confirmed malicious, this activity could allow an attacker to execute arbitrary scripts, delete data, or exfiltrate sensitive information.

Search

 1
 2| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN ("*
 3| runshellscript *", "*
 4| collect *","*
 5| delete *", "*
 6| fit *", "*
 7| outputcsv *", "*
 8| outputlookup *", "*
 9| run *", "*
10| script *", "*
11| sendalert *", "*
12| sendemail *", "*
13| tscolle*")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h 
14| apply risky_command_abuse 
15| fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) 
16| rename IsOutlier(run_time) as isOutlier, _time as timestamp 
17| where isOutlier>0.5 
18| `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`

Data Source

Name	Platform	Sourcetype	Source
Splunk	Splunk	`'splunkd_ui_access'`	`'splunkd_ui_access.log'`

Macros Used

Name	Value

| splunk_command_and_scripting_interpreter_risky_spl_mltk_filter | search * |

splunk_command_and_scripting_interpreter_risky_spl_mltk_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1059	Command and Scripting Interpreter	Execution

KillChainPhase.INSTALLATION

NistCategory.DE_AE

Cis18Value.CIS_10

APT19

APT32

APT37

APT39

Dragonfly

FIN5

FIN6

FIN7

Fox Kitten

Ke3chang

OilRig

Saint Bear

Stealth Falcon

Whitefly

Windigo

Winter Vivern

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This detection depends on MLTK app which can be found here - https://splunkbase.splunk.com/app/2890/ and the Splunk Audit datamodel which can be found here - https://splunkbase.splunk.com/app/1621/. Baseline model needs to be built using "Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline" before this search can run. Please note that the current search only finds matches exactly one space between separator bar and risky commands.

Known False Positives

If the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.

Associated Analytic Story

Splunk Vulnerabilities

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Abnormally long run time for risk SPL command seen by user- [$Search_Activity.user$]	20	50	40

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`audittrail`	`audittrail`
Integration	✅ Passing	Dataset	`audittrail`	`audittrail`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3