| ID | Technique | Tactic |
|---|---|---|
| T1210 | Exploitation of Remote Services | Lateral Movement |
Detection: Splunk RCE Through Arbitrary File Write to Windows System Root
Description
In Splunk Enterprise for Windows versions below 9.3.0, 9.2.3, and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could write a file to the Windows system root directory, which has a default location of C:\Windows\System32, when Splunk Enterprise for Windows is installed on a separate drive. Additionally, this user may be able to upload and execute code due to insecure session storage configuration.
Search
1```Each exploit attempt abuses the following endpoint. A request to the endpoint MUST occur immediately before the App Creation Message. However, this endpoint does not expose the name of the app that was created```
2`splunkda` status=200 uri_path="*/search/apps/local/_new"
3
4| bin _time span=1m
5| stats count by _time, user
6``` A request to this endpoint also results in an ApplicationManager event showing that a new application was created. This exposes the name and is created immediately following the initial request. We will look for these creation messages up to 60 seconds after the request to the vulnerable endpoint.```
7
8| eval earliest_app_creation_time=_time
9
10| eval latest_app_creation_time=_time+60
11
12| eval api_user=user
13```Search for the names of apps that were created with the time bounds above```
14
15| map maxsearches=150 search="search index=_internal earliest=$earliest_app_creation_time$ latest=$latest_app_creation_time$
16```Admins, or users with app creation privileges may abuse this command```
17(sourcetype=splunkd component=ApplicationManager event_message=\"Detected app creation:*\") OR
18```But the command may also be abused by users with lower privileges```
19(sourcetype=splunk_python user=$api_user$ type=ERROR \"requires capability\" AND (\"edit_local_apps\" OR \"admin_all_objects\"))
20```Create meaningful messages in the case that app creation was successful or if it failed```
21
22| strcat event_message \" - This app should be examined to ensure that it is legitimate.\" message_if_app_creation_successful
23
24| strcat event_message \"Detected failed app creation: user does not have admin_all_objects or edit_local_apps capability and the user account MUST be investigated. This may still have resulted in the upload of malicious file(s) or execution of maliciouis command(s).\" message_if_app_creation_failed
25
26| eval message=if(isnull(event_message), message_if_app_creation_failed, message_if_app_creation_successful )
27
28| eval user=\"$api_user$\""
29
30| stats count min(_time) as firstTime max(_time) as lastTime by user, message, host
31
32| `security_content_ctime(firstTime)`
33
34| `security_content_ctime(lastTime)`
35
36| `splunk_rce_through_arbitrary_file_write_to_windows_system_root_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Splunk |  Splunk |
'splunkd_ui_access' |
'splunkd_ui_access.log' |
N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| splunk_rce_through_arbitrary_file_write_to_windows_system_root_filter | search * |
splunk_rce_through_arbitrary_file_write_to_windows_system_root_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
APT28
Dragonfly
Earth Lusca
FIN7
Fox Kitten
MuddyWater
Threat Group-3390
Tonto Team
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
This search requires access to the _internal index and only applies Splunk Enterprise installations on Microsoft Windows. Apps, messages, and/or users reported by the search should be analyzed to see if they are legitimate.
Known False Positives
This search may produce false positives as it is not possible to analyze the contents of an App Creation. This only applies to Splunk installations on Microsoft Windows where installation is placed on a different root directory like e or d.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Potential RCE exploit against $host$. | 45 | 90 | 50 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | N/A | N/A |
N/A |
| Integration | ✅ Passing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1