Merge pull request #2439 from splunk/security_updates

Security updates

detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml

@@ -0,0 +1,62 @@
+name: Splunk Data exfiltration from Analytics Workspace using sid query
+id: b6d77c6c-f011-4b03-8650-8f10edb7c4a8
+version: 1
+date: '2022-11-1'
+author: Rod Soto, Eric McGinnis
+type: Hunting
+datamodel: []
+description: This hunting search allows operator to discover attempts to exfiltrate data by
+  executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise
+  versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to
+  compel a victim to initiate a request within their browser (phishing).
+  The attacker cannot exploit the vulnerability at will.
+search: '`audit_searches` info=granted search NOT ("audit_searches") 
+  search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*"
+  AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))| eval warning=if(match(search,"\\\\\""),
+  "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`'
+how_to_implement: The vulnerability affects only instances with Splunk Web Enabled.  After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration.
+known_false_positives: This search may produce false positives.  This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim.
+references:
+- https://www.splunk.com/en_us/product-security.html
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Endpoint
+  cve:
+  - CVE-2022-43566
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  context:
+  - Source:Endpoint
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt
+  impact: 50
+  kill_chain_phases:
+  - Actions on Objectives
+  message: Potential data exfiltration attack using SID query by $user$
+  mitre_attack_id:
+  - T1567
+  nist:
+  - DE.CM
+  observable:
+  - name: user
+    type: User
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - action
+  - info
+  - user
+  - search_id
+  - metadata
+  - user
+  - _time
+  risk_score: 25
+  security_domain: endpoint

detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml

@@ -0,0 +1,54 @@
+name: Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature
+id: baa41f09-df48-4375-8991-520beea161be
+version: 1
+date: '2022-10-11'
+author: Rod Soto
+type: Hunting
+datamodel: []
+description: This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. 
+search: '`splunkd_webx` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" sort="notification.created_at:-1" | table  clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`'
+how_to_implement: This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. 
+known_false_positives:  This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point.
+references:
+- https://www.splunk.com/en_us/product-security.html
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: Endpoint 
+  cve:
+  - CVE-2022-43567
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 90
+  context:
+  - Source:Endpoint 
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt
+  impact: 90
+  kill_chain_phases:
+  - Exploitation
+  message: Possible exploitation attempt from $clientip$
+  mitre_attack_id:
+  - T1210
+  nist:
+  - DE.CM
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker 
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - uri_path
+  - clientip 
+  - file 
+  - host 
+  - method 
+  - sort 
+  risk_score: 81
+  security_domain: endpoint

detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml

@@ -0,0 +1,55 @@
+name: Splunk Reflected XSS in the templates lists radio
+id: d532d105-c63f-4049-a8c4-e249127ca425
+version: 1
+date: '2022-10-11'
+author: Rod Soto, Chase Franklin
+type: Hunting
+datamodel: []
+description: Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. 
+search: '`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`'
+how_to_implement: This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.
+known_false_positives: This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point. 
+references:
+- https://research.splunk.com/stories/splunk_vulnerabilities/ 
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: Endpoint 
+  cve: 
+  - CVE-2022-43568
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  context:
+  - Source:Endpoint 
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt
+  impact: 50
+  kill_chain_phases:
+  - Exploitation
+  message: Potential XSS exploitation against radio template by $user$
+  mitre_attack_id:
+  - T1189
+  nist:
+  - DE.CM
+  observable:
+  - name: user
+    type: User
+    role:
+    - Attacker 
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - host
+  - clientip 
+  - status 
+  - user 
+  - uri 
+  - uri_query 
+  - uri_path 
+  risk_score: 25
+  security_domain: endpoint

detections/application/splunk_stored_xss_via_data_model_objectname_field.yml

@@ -0,0 +1,56 @@
+name: Splunk Stored XSS via Data Model objectName field
+id: 062bff76-5f9c-496e-a386-cb1adcf69871
+version: 1
+date: '2022-10-11'
+author: Rod Soto
+type: Hunting
+datamodel: []
+description: Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. 
+search: '`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`'
+how_to_implement: This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.
+known_false_positives: This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. 
+references:
+- https://www.splunk.com/en_us/product-security.html
+- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: Endpoint 
+  cve: 
+  - CVE-2022-43569
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  context:
+  - Source:Endpoint 
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt
+  impact: 50 
+  kill_chain_phases:
+  - Exploitation
+  message: A potential XSS attempt has been detected from $user$
+  mitre_attack_id:
+  - T1189
+  nist:
+  - DE.CM
+  observable:
+  - name: user
+    type: User
+    role:
+    - Attacker 
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - uri
+  - uri_query 
+  - host 
+  - status 
+  - clientip 
+  - user 
+  - uri_path 
+  risk_score: 25
+  security_domain: endpoint

detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml

@@ -0,0 +1,56 @@
+name: Splunk XSS in Save table dialog header in search page
+id: a974d1ee-ddca-4837-b6ad-d55a8a239c20
+version: 1
+date: '2022-10-11'
+author: Rod Soto
+type: Hunting
+datamodel: []
+description: This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting.
+search: '`splunkda` method=POST  uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`'
+how_to_implement: Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model.
+known_false_positives: If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances. 
+references:
+- https://www.splunk.com/en_us/product-security.html
+- https://portswigger.net/web-security/cross-site-scripting
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Endpoint 
+  cve: 
+  - CVE-2022-43561
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  context:
+  - Source:Endpoint 
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt
+  impact: 50
+  kill_chain_phases: 
+  - Exploitation 
+  message: Possible XSS exploitation attempt from $clientip$
+  mitre_attack_id:
+  - T1189
+  nist:
+  - DE.CM
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker 
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - host
+  - _time
+  - status 
+  - clientip 
+  - user 
+  - uri 
+  - method 
+  risk_score: 25
+  security_domain: endpoint

detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml

@@ -0,0 +1,54 @@
+name: Splunk Code Injection via custom dashboard leading to RCE
+id: b06b41d7-9570-4985-8137-0784f582a1b3
+version: 1
+date: '2022-10-11'
+author: Rod Soto
+type: Hunting
+datamodel: []
+description: This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation.
+search: '`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?<NAME>[^\/]*)" | rex field=URL "\/data\/ui\/views\/(?<NAME1>[^\/]*)" | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`'
+how_to_implement:  This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.
+known_false_positives: Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. 
+references:
+- https://www.splunk.com/en_us/product-security.html 
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Endpoint 
+  cve: 
+  - CVE-2022-43571
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  context:
+  - Source:Endpoint 
+  dataset:
+  - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt
+  impact: 50
+  kill_chain_phases:
+  - Exploitation
+  message: Potential exploitation of Code Injection via Dashboard PDF generation. 
+  mitre_attack_id:
+  - T1210
+  nist:
+  - DE.CM
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - user
+  - clientip 
+  - uri 
+  - uri_path 
+  - method 
+  - status 
+  risk_score: 25
+  security_domain: endpoint

macros/audit_searches.yml

@@ -0,0 +1,3 @@
+definition: index=_audit sourcetype=audittrail action=search
+description: Macro to enable easy searching of audittrail logs for searches
+name: audit_searches

macros/splunkd_ui.yml

@@ -0,0 +1,4 @@
+definition: index=_internal sourcetype=splunkd_ui_access
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: splunkd_ui

macros/splunkd_webx.yml

@@ -0,0 +1,4 @@
+definition: index=_internal sourcetype=access_combined_wcookie 
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: splunkd_webx

macros/splunkda.yml

@@ -0,0 +1,4 @@
+definition: index=_internal sourcetype=splunkd_access
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: splunkda

tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml

@@ -0,0 +1,14 @@
+name: Splunk Data exfiltration from Analytics Workspace using sid query Unit Test
+tests:
+- name: Splunk Data exfiltration from Analytics Workspace using sid query
+  file: application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: -24h
+  latest_time: now
+  attack_data:
+  - file_name: splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt
+    data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt
+    source: audittrail 
+    sourcetype: audittrail 
+    custom_index: _audit
+    update_timestamp: true

tests/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.test.yml

@@ -0,0 +1,14 @@
+name: Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature Unit Test
+tests:
+- name: Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature
+  file: application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: -24h
+  latest_time: now
+  attack_data:
+  - file_name: splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt
+    data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt
+    source: /opt/splunk/var/log/splunk/web_access.log
+    sourcetype: access_combined_wcookie
+    custom_index: _internal 
+    update_timestamp: true