Kubernetes Nginx Ingress LFI

Try in Splunk Security Cloud

Description

This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-08-20
• Author: Patrick Bareiss, Splunk
• ID: 0f83244b-425b-4528-83db-7a88c5f66e48

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1212	Exploitation for Credential Access	Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 13

CVE

Search

`kubernetes_container_controller` 
| rex field=_raw "^(?<remote_addr>\S+)\s+-\s+-\s+\[(?<time_local>[^\]]*)\]\s\"(?<request>[^\"]*)\"\s(?<status>\S*)\s(?<body_bytes_sent>\S*)\s\"(?<http_referer>[^\"]*)\"\s\"(?<http_user_agent>[^\"]*)\"\s(?<request_length>\S*)\s(?<request_time>\S*)\s\[(?<proxy_upstream_name>[^\]]*)\]\s\[(?<proxy_alternative_upstream_name>[^\]]*)\]\s(?<upstream_addr>\S*)\s(?<upstream_response_length>\S*)\s(?<upstream_response_time>\S*)\s(?<upstream_status>\S*)\s(?<req_id>\S*)" 
| lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path 
| search lfi_path=yes 
| rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy 
| rex field=request "^(?<http_method>\S+)\s(?<url>\S+)\s" 
| eval phase="operate" 
| eval severity="high" 
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `kubernetes_nginx_ingress_lfi_filter`

Macros

The SPL above uses the following Macros:

• kubernetes_container_controller
• security_content_ctime

kubernetes_nginx_ingress_lfi_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Lookups

The SPL above uses the following Lookups:

• local_file_inclusion_paths with data

Required fields

List of fields required to use this analytic.

• raw

How To Implement

You must ingest Kubernetes logs through Splunk Connect for Kubernetes.

Known False Positives

unknown

Associated Analytic Story

• Dev Sec Ops

RBA

Risk Score	Impact	Confidence	Message
49.0	70	70	Local File Inclusion Attack detected on $host$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://github.com/splunk/splunk-connect-for-kubernetes
• https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1