Merge pull request #2182 from splunk/TR-1828

TR-1828 et al

detections/application/path_traversal_spl_injection.yml

@@ -0,0 +1,51 @@
+name: Path traversal SPL injection
+id: dfe55688-82ed-4d24-a21b-ed8f0e0fda99
+version: 1
+date: '2022-04-29'
+author: Rod Soto, Splunk
+type: TTP
+datamodel: []
+search: ' `path_traversal_spl_injection` | search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"  | stats count by status clientip method uri_path uri_query | `path_traversal_spl_injection_filter`'
+description: On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries.
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This search will provide search UI requests with path traversal parameter ("../../../../../../../../../") which shows exploitation attempts.
+known_false_positives: This search may find additional path traversal exploitation attempts.
+references:
+- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0506.html
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Endpoint
+  cve:
+  - CVE-2022-26889
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 80
+  context:
+  - Source:Endpoint
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/path_traversal_spl_injection.txt
+  impact: 50
+  kill_chain_phases:
+  - Exploitation
+  message: Path traversal exploitation attempt from $clientip$
+  mitre_attack_id:
+  - T1083
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - status
+  - clientip
+  - method
+  - uri_path
+  - uri_query
+  risk_score: 40
+  security_domain: threat

detections/application/splunk_user_enumeration_attempt.yml

@@ -0,0 +1,52 @@
+name: Splunk User Enumeration Attempt
+id: 25625cb4-1c4d-4463-b0f9-7cb462699cde
+version: 1
+date: '2022-04-29'
+author: Lou Stella, Splunk
+type: TTP
+datamodel: []
+description: On May 3rd, 2022, Splunk published a security advisory for  username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.
+search: ' `splunkd_failed_auths` | stats count(user) as auths by user, src | where auths>5 | stats values(user) as "Users", sum(auths) as TotalFailedAuths by src | `splunk_user_enumeration_attempt_filter`'
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to find password spraying or brute force authorization attempts in addition to someone enumerating usernames. 
+known_false_positives: Automation executing authentication attempts against your Splunk infrastructure with outdated credentials may cause false positives.
+references:
+- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 80
+  context:
+  - Source:Endpoint
+  cve: 
+  - CVE-2021-33845
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/splunkd_auth/audittrail.log
+  impact: 50
+  kill_chain_phases:
+  - Reconnaissance
+  message: $TotalFailedAuths$ failed authentication events to Splunk from $src$ detected. 
+  mitre_attack_id:
+  - T1078
+  nist:
+  - DE.CM
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - user
+  - src 
+  - info
+  - action
+  risk_score: 40
+  security_domain: access

detections/application/splunk_xss_in_monitoring_console.yml

@@ -0,0 +1,54 @@
+name: Splunk XSS in Monitoring Console
+id: b11accac-6fa3-4103-8a1a-7210f1a67087
+version: 1
+date: '2022-04-27'
+author: Lou Stella, Splunk
+type: TTP
+datamodel: []
+description: On May 3rd, 2022, Splunk published a security advisory for a reflective Cross-Site Scripting (XSS) vulnerability stemming from the lack of input validation in the Distributed Monitoring Console app. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.
+search: ' `splunkd_web` method="GET" uri_query="description=%3C*" | table _time host status clientip user uri | `splunk_xss_in_monitoring_console_filter`'
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will find attempted exploitation of CVE-2022-27183.
+known_false_positives: Use of the monitoring console where the less-than sign (<) is the first character in the description field.
+references:
+- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0505.html
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Endpoint
+  cve:
+  - CVE-2022-27183
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 80
+  context:
+  - Source:Endpoint
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log
+  impact: 50
+  kill_chain_phases:
+  - Exploitation
+  message: A potential XSS attempt has been detected from $user$
+  mitre_attack_id:
+  - T1189
+  nist:
+  - DE.CM
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - method
+  - uri_query
+  - status
+  - clientip
+  - user
+  - uri
+  risk_score: 40
+  security_domain: threat

lookups/prohibited_apps_launching_cmd.csv

@@ -15,3 +15,4 @@ java.exe,prohibited
 powershell.exe,prohibited
 mshta.exe, prohibited
 zoom.exe,prohibitied
+node.exe,prohibited

macros/path_traversal_spl_injection.yml

@@ -0,0 +1,4 @@
+definition: index=_internal sourcetype=splunkd_ui_access 
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: path_traversal_spl_injection

macros/splunkd_failed_auths.yml

@@ -0,0 +1,4 @@
+definition: index=_audit action="login attempt" info="failed"
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: splunkd_failed_auths

macros/splunkd_web.yml

@@ -0,0 +1,4 @@
+definition: index=_internal sourcetype=splunk_web_access
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: splunkd_web

stories/splunk_vulnerabilities.yml

@@ -6,8 +6,7 @@ author: Lou Stella, Splunk
 description: Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product. 
 narrative:  This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly. 
 references: 
-- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html
-- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3422
+- https://www.splunk.com/en_us/product-security/announcements.html
 tags:
   analytic_story: Splunk Vulnerabilities
   category:

tests/application/path_traversal_spl_injection.test.yml

@@ -0,0 +1,12 @@
+name: Path traversal SPL injection Unit Test
+tests:
+- name: Path traversal SPL injection
+  file: application/path_traversal_spl_injection.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: -24h
+  latest_time: now
+  attack_data:
+  - file_name: path_traversal_spl_injection.txt
+    data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/path_traversal_spl_injection.txt
+    source: c:\opt\splunk\var\log\splunk\splunkd_ui_access.log
+    sourcetype: splunkd_ui_access

tests/application/splunk_user_enumeration_attempt.test.yml

@@ -0,0 +1,12 @@
+name: Splunk User Enumeration Attempt Unit Test
+tests:
+- name: Splunk User Enumeration Attempt
+  file: application/splunk_user_enumeration_attempt.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: -24h
+  latest_time: now
+  attack_data:
+  - file_name: audittail.log
+    data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/splunkd_auth/audittrail.log
+    source: audittrail
+    sourcetype: audittrail

tests/application/splunk_xss_in_monitoring_console.test.yml

@@ -0,0 +1,12 @@
+name: Splunk XSS in Monitoring Console Unit Test
+tests:
+- name: Splunk XSS in Monitoring Console
+  file: application/splunk_xss_in_monitoring_console.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: -24h
+  latest_time: now
+  attack_data:
+  - file_name: splunk_web_access.log
+    data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log
+    source: /opt/splunk/var/log/splunk/web_access.log
+    sourcetype: splunk_web_access