In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
- Type: Hunting
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-09-05
- Author: Rod Soto
- ID: 356bd3fe-f59b-4f64-baa1-51495411b7ad
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 `splunk_python` *runshellscript* | eval log_split=split(_raw, "runshellscript: ") | eval array_raw = mvindex(log_split,1) | eval data_cleaned=replace(replace(replace(array_raw,"\[",""),"\]",""),"'","") | eval array_indices=split(data_cleaned,",") | eval runshellscript_args_count=mvcount(array_indices) | where runshellscript_args_count = 10 | eval interpreter=mvindex(array_indices,0) | eval targetScript=mvindex(array_indices,1) | eval targetScript != "*C:*" | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_absolute_path_traversal_using_runshellscript_filter`
The SPL above uses the following Macros:
splunk_absolute_path_traversal_using_runshellscript_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
Must have access to internal indexes. Only applies to Splunk on Windows versions.
Known False Positives
The command runshellscript can be used for benign purposes. Analyst will have to review the searches and determined maliciousness specially by looking at targeted script.
Associated Analytic Story
|35.0||50||70||Possible attack against splunk_server $splunk_server$ through abuse of the runshellscript command|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1