Detection: Splunk RCE via User XSLT

Updated Date: 2024-10-17 ID: 6cb7e011-55fb-48e3-a98d-164fa854e37e Author: Marissa Bower, Chase Franklin, Rod Soto, Bhavin Patel, Eric McGinnis, Splunk Type: Hunting Product: Splunk Enterprise Security

Description

The following analytic identifies potential remote code execution (RCE) attempts via user-supplied Extensible Stylesheet Language Transformations (XSLT) in Splunk versions 9.1.x. It detects this activity by analyzing splunkd_ui logs for specific URI patterns and status codes indicative of XSLT injection attempts. This activity is significant because successful exploitation could allow an attacker to execute arbitrary code on the Splunk server. If confirmed malicious, this could lead to full system compromise, unauthorized data access, and further lateral movement within the network.

Search

 1`splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR uri="*dispatch*.xsl*") AND uri!= "*splunkd_ui*" 
 2| rex field=uri "(?<string>=\s*([\S\s]+))" 
 3| eval decoded_field=urldecode(string) 
 4| eval action=case(match(status,"200"),"Allowed",match(status,"303
 5|500
 6|401
 7|403
 8|404
 9|301
10|406"),"Blocked",1=1,"Unknown") 
11| stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host 
12| rename clientip as src, uri as dest_uri 
13| iplocation src 
14| fillnull value="N/A" 
15| `security_content_ctime(firstTime)` 
16| `security_content_ctime(lastTime)` 
17| table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field 
18| `splunk_rce_via_user_xslt_filter`

Data Source

No data sources specified for this detection.

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
splunk_rce_via_user_xslt_filter	`search *`

splunk_rce_via_user_xslt_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1210	Exploitation of Remote Services	Lateral Movement

KillChainPhase.EXPLOITAITON

NistCategory.DE_AE

Cis18Value.CIS_10

APT28

Dragonfly

Earth Lusca

Ember Bear

FIN7

Fox Kitten

MuddyWater

Threat Group-3390

Tonto Team

Wizard Spider

menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	False

This configuration file applies to all detections of type hunting.

Implementation

This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.

Known False Positives

This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests.

Associated Analytic Story

Splunk Vulnerabilities

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Potential Remote Code Execution via XLST from $src$ using useragent - $useragent$	64	80	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://advisory.splunk.com/advisories/SVD-2023-1104

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`/opt/splunk/var/log/splunk/splunkd_ui_access.log`	`splunkd_ui_access`
Integration	✅ Passing	Dataset	`/opt/splunk/var/log/splunk/splunkd_ui_access.log`	`splunkd_ui_access`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3