Splunk Data exfiltration from Analytics Workspace using sid query

Try in Splunk Security Cloud

Description

The following analytic identifies attempts to exfiltrate data by executing a prepositioned malicious search ID in Splunk's Analytic Workspace. It leverages the audit_searches data source to detect suspicious mstats commands indicative of injection attempts. This activity is significant as it may indicate a phishing-based attack where an attacker compels a victim to initiate a malicious request, potentially leading to unauthorized data access. If confirmed malicious, this could result in significant data exfiltration, compromising sensitive information and impacting the organization's security posture.

• Type: Hunting

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-25
• Author: Rod Soto, Eric McGinnis
• ID: b6d77c6c-f011-4b03-8650-8f10edb7c4a8

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1567	Exfiltration Over Web Service	Exfiltration

Kill Chain Phase

• Actions On Objectives

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`audit_searches` info=granted search NOT ("audit_searches") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))
| eval warning=if(match(search,"\\\\\""), "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") 
| table search, user, warning, timestamp 
| `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`

Macros

The SPL above uses the following Macros:

• audit_searches

splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• action
• info
• user
• search_id
• metadata
• user
• _time

How To Implement

The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration.

Known False Positives

This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim.

Associated Analytic Story

• Splunk Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	Potential data exfiltration attack using SID query by $user$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.splunk.com/en_us/product-security.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2