Analytics Story: Splunk Vulnerabilities

Description

Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.

Why it matters

This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly
Path traversal SPL injection File and Directory Discovery TTP
Persistent XSS in RapidDiag through User Interface Views Drive-by Compromise TTP
Splunk Absolute Path Traversal Using runshellscript File and Directory Discovery Hunting
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery TTP
Splunk App for Lookup File Editing RCE via User XSLT Exploitation of Remote Services Hunting
Splunk Authentication Token Exposure in Debug Log Log Enumeration TTP
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services Hunting
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Anomaly
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Anomaly
Splunk CSRF in the SSG kvstore Client Endpoint Drive-by Compromise TTP
Splunk Data exfiltration from Analytics Workspace using sid query Exfiltration Over Web Service Hunting
Splunk Digital Certificates Infrastructure Version Digital Certificates Hunting
Splunk Digital Certificates Lack of Encryption Digital Certificates Anomaly
Splunk DoS Using Malformed SAML Request Network Denial of Service Hunting
Splunk DOS Via Dump SPL Command Application or System Exploitation Hunting
Splunk DoS via Malformed S2S Request Network Denial of Service TTP
Splunk DoS via POST Request Datamodel Endpoint Endpoint Denial of Service Hunting
Splunk DOS via printf search function Application or System Exploitation Hunting
Splunk Edit User Privilege Escalation Abuse Elevation Control Mechanism Hunting
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service TTP
Splunk Enterprise KV Store Incorrect Authorization Abuse Elevation Control Mechanism Hunting
Splunk Enterprise Windows Deserialization File Partition Exploit Public-Facing Application TTP
Splunk ES DoS Investigations Manager via Investigation Creation Endpoint Denial of Service TTP
Splunk ES DoS Through Investigation Attachments Endpoint Denial of Service TTP
Splunk HTTP Response Splitting Via Rest SPL Command HTML Smuggling Hunting
Splunk Improperly Formatted Parameter Crashes splunkd Endpoint Denial of Service TTP
Splunk Information Disclosure in Splunk Add-on Builder System Information Discovery Hunting
Splunk Information Disclosure on Account Login Account Discovery Hunting
Splunk list all nonstandard admin accounts Drive-by Compromise Hunting
Splunk Low Privilege User Can View Hashed Splunk Password Exploitation for Credential Access Hunting
Splunk Path Traversal In Splunk App For Lookup File Edit File and Directory Discovery Hunting
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Drive-by Compromise Hunting
Splunk Process Injection Forwarder Bundle Downloads Process Injection Hunting
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation Hunting
Splunk protocol impersonation weak encryption selfsigned Digital Certificates Hunting
Splunk protocol impersonation weak encryption simplerequest Digital Certificates Hunting
Splunk RBAC Bypass On Indexing Preview REST Endpoint Access Token Manipulation Hunting
Splunk RCE PDFgen Render Exploitation of Remote Services TTP
Splunk RCE via External Lookup Copybuckets Exploitation of Remote Services Hunting
Splunk RCE via Serialized Session Payload Exploit Public-Facing Application Hunting
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Exploitation of Remote Services Hunting
Splunk RCE via User XSLT Exploitation of Remote Services Hunting
Splunk Reflected XSS in the templates lists radio Drive-by Compromise Hunting
Splunk Reflected XSS on App Search Table Endpoint Drive-by Compromise Hunting
Splunk risky Command Abuse disclosed february 2023 Abuse Elevation Control Mechanism, Indirect Command Execution Hunting
Splunk Stored XSS conf-web Settings on Premises Drive-by Compromise Hunting
Splunk Stored XSS via Data Model objectName Field Drive-by Compromise Hunting
Splunk Stored XSS via Specially Crafted Bulletin Message Drive-by Compromise Hunting
Splunk Unauthenticated DoS via Null Pointer References Endpoint Denial of Service Hunting
Splunk Unauthenticated Log Injection Web Service Log Exploit Public-Facing Application Hunting
Splunk Unauthenticated Path Traversal Modules Messaging File and Directory Discovery Hunting
Splunk Unauthorized Experimental Items Creation Drive-by Compromise Hunting
Splunk Unauthorized Notification Input by User Abuse Elevation Control Mechanism Hunting
Splunk unnecessary file extensions allowed by lookup table uploads Drive-by Compromise TTP
Splunk User Enumeration Attempt Valid Accounts TTP
Splunk XSS in Highlighted JSON Events Drive-by Compromise Hunting
Splunk XSS in Monitoring Console Drive-by Compromise TTP
Splunk XSS in Save table dialog header in search page Drive-by Compromise Hunting
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Drive-by Compromise Hunting
Splunk XSS Via External Urls in Dashboards SSRF Drive-by Compromise Hunting
Splunk XSS via View Drive-by Compromise Hunting
Open Redirect in Splunk Web None TTP
Splunk Enterprise Information Disclosure None TTP
Splunk Identified SSL TLS Certificates Network Sniffing Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Splunk Splunk icon Splunk splunkd_ui_access splunkd_ui_access.log
Splunk Stream TCP Splunk icon Splunk stream:tcp stream:tcp

References


Source: GitHub | Version: 1