Splunk Stored XSS conf-web Settings on Premises

Try in Splunk Security Cloud

Description

This hunting detection provides information on exploitation of stored XSS against /configs/conf-web/settings by an admin level user.

• Type: Hunting

• Product: Splunk Enterprise

• Last Updated: 2024-07-01
• Author: Rod Soto, Chase Franklin
• ID: ed1209ef-228d-4dab-9856-be9369925a5c

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1189	Drive-by Compromise	Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.AE

CIS20

• CIS 10

CVE

ID	Summary	CVSS

Search

`splunk_python` *script* *eval* 
| stats min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_stored_xss_conf_web_settings_on_premises_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• splunk_python

splunk_stored_xss_conf-web_settings_on_premises_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• UPDATE

How To Implement

Requires access to internal indexes.

Known False Positives

This is a hunting search and will produce false positives, operator must identify XSS elemetns in the splunk_python log related to the vulnerable endpoint.

Associated Analytic Story

• Splunk Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
20.0	20	100	Possible XSS attack against $host$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://advisory.splunk.com/advisories/SVD-2024-0717

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1