ID | Technique | Tactic |
---|---|---|
T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Splunk Enterprise Windows Deserialization File Partition
Description
The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing splunk_python
logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation.
Search
1`splunk_python` request_path="/*/app/search/C:\\Program" *strings*
2| rex "request_path=(?<file_path>[^\"]+)"
3| rex field=file_path "[^\"]+/(?<file_name>[^\"\'\s/\\\\]+)"
4| stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `splunk_enterprise_windows_deserialization_file_partition_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Splunk | Splunk | 'splunkd_ui_access' |
'splunkd_ui_access.log' |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
splunk_enterprise_windows_deserialization_file_partition_filter | search * |
splunk_enterprise_windows_deserialization_file_partition_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.
Known False Positives
Irregular path with files that may be purposely called for benign reasons may produce false positives.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Possible Windows Deserialization exploitation via irregular path file against $host$ | 90 | 100 | 90 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | C:\Program File\Splunk\var\log\splunk\python.log |
splunk_python |
Integration | ✅ Passing | Dataset | C:\Program File\Splunk\var\log\splunk\python.log |
splunk_python |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4