Kubernetes Nginx Ingress RFI

Try in Splunk Security Cloud

Description

This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-08-23
• Author: Patrick Bareiss, Splunk
• ID: fc5531ae-62fd-4de6-9c36-b4afdae8ca95

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1212	Exploitation for Credential Access	Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 13

CVE

Search

`kubernetes_container_controller` 
| rex field=_raw "^(?<remote_addr>\S+)\s+-\s+-\s+\[(?<time_local>[^\]]*)\]\s\"(?<request>[^\"]*)\"\s(?<status>\S*)\s(?<body_bytes_sent>\S*)\s\"(?<http_referer>[^\"]*)\"\s\"(?<http_user_agent>[^\"]*)\"\s(?<request_length>\S*)\s(?<request_time>\S*)\s\[(?<proxy_upstream_name>[^\]]*)\]\s\[(?<proxy_alternative_upstream_name>[^\]]*)\]\s(?<upstream_addr>\S*)\s(?<upstream_response_length>\S*)\s(?<upstream_response_time>\S*)\s(?<upstream_status>\S*)\s(?<req_id>\S*)" 
| rex field=request "^(?<http_method>\S+)?\s(?<url>\S+)\s" 
| rex field=url "(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| search dest_ip=* 
| rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy 
| eval phase="operate" 
| eval severity="medium" 
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `kubernetes_nginx_ingress_rfi_filter`

Macros

The SPL above uses the following Macros:

• kubernetes_container_controller
• security_content_ctime

kubernetes_nginx_ingress_rfi_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• raw

How To Implement

You must ingest Kubernetes logs through Splunk Connect for Kubernetes.

Known False Positives

unknown

Associated Analytic Story

• Dev Sec Ops

RBA

Risk Score	Impact	Confidence	Message
49.0	70	70	Remote File Inclusion Attack detected on $host$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://github.com/splunk/splunk-connect-for-kubernetes
• https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1