splunk · patel-bhavin · Jul 1, 2024 · Jun 26, 2024 · Jul 1, 2024 · Jul 1, 2024
@@ -22,7 +22,13 @@
   <row>
     <panel>
       <html>
-        <h2 style="color:red">Explore the Analytic Stories included with Splunk Security via <a href="https://www.splunk.com/en_us/resources/videos/splunk-enterprise-security-use-case-library.html">ES Use Case Library</a> or <a href="https://splunkbase.splunk.com/app/3435/">Splunk Security Essentials</a>.</h2>
+        <div style="background-color: #f8d7da; border: 1px solid #f5c6cb; border-radius: 5px; padding: 15px; margin-bottom: 20px;">
+          <h2 style="color: #721c24; margin: 0;">
+            <i class="icon-info-circle" style="margin-right: 10px;"></i>
+            Explore Splunk Security Content using 
+            <a href="/app/SplunkEnterpriseSecuritySuite/ess_use_case_library" style="color: #721c24; text-decoration: underline;">Splunk Enterprise Security</a>
+          </h2>
+        </div>
       </html>
     </panel>
   </row>

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.34.0
+  version: 4.35.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

@@ -1,7 +1,7 @@
-name: Splunk csrf in the ssg kvstore client endpoint
+name: Splunk CSRF in the SSG kvstore Client Endpoint
 id: 4742d5f7-ce00-45ce-9c79-5e98b43b4410
-version: 2
-date: '2024-05-11'
+version: 3
+date: '2024-07-01'
 author: Rod Soto
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies attempts to exploit a cross-site
   information, compromising the integrity and security of the Splunk environment.
 data_source:
 - Splunk
-search: '`splunkda` uri_path="/en-US/splunkd/__raw/services/ssg/kvstore_client" method="GET"
+search: '`splunkda` uri_path="/*/splunkd/__raw/services/ssg/kvstore_client" method="GET"
   delete_field_value="spacebridge_server" status="200"  | table splunk_server status
   uri delete_field_value method post_data  | `splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter`'
 how_to_implement: Requires access to internal index.
@@ -24,7 +24,7 @@ known_false_positives: This hunting search only applies to the affected versions
   it requires manual investigation after executing search. This search will produce
   false positives.
 references:
-- https://www.splunk.com/en_us/product-security.html
+- https://advisory.splunk.com/advisories/SVD-2023-0212
 tags:
   analytic_story:
   - Splunk Vulnerabilities

@@ -0,0 +1,56 @@
+name: Splunk DoS via POST Request Datamodel Endpoint
+id: 45766810-dbb2-44d4-b889-b4ba3ee0d1f5
+version: 1
+status: production
+date: '2024-07-01'
+author: Rod Soto
+type: Hunting
+data_source: []
+description: The following is a hunting search that allows investigation of error messages indicating Splunk HTTP engine shutdown as a result of a crafted posted request against '/datamodel/model' endpoint.
+search: >-
+  `splunkd_webs` log_level=INFO message="ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down" 
+  | stats count min(_time) as firstTime max(_time) as lastTime by splunk_server message 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `splunk_dos_via_post_request_datamodel_endpoint_filter`
+how_to_implement: Need access to the internal indexes.
+known_false_positives: This is a hunting search and will produce false positives as other causes can also shut down splunk HTTP engine, however this denial of service error is associated to a request to the datamodel/model endpoing which operator can research and find proximity of request and message in logs. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0710
+cve:
+- CVE-2024-36986
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  impact: 100
+  kill_chain_phases:
+  - Exploitation
+  message: Possible Denial of Service attack against $splunk_server$
+  mitre_attack_id:
+  - T1499
+  nist:
+  - DE.CM
+  observable:
+  - name: splunk_server
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  required_fields:
+  - UPDATE
+  risk_score: 15
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log
+    source: /opt/splunk/var/log/splunk/web_service.log
+    sourcetype: splunk_web_service
+    custom_index: _internal
@@ -1,7 +1,7 @@
 name: Splunk Enterprise Windows Deserialization File Partition
 id: 947d4d2e-1b64-41fc-b32a-736ddb88ce97
-version: 2
-date: '2024-05-18'
+version: 3
+date: '2024-07-01'
 author: Rod Soto, Eric McGinnis, Chase Franklin
 status: production
 type: TTP
@@ -15,7 +15,7 @@ description: The following analytic identifies attempts to exploit a deserializa
   If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary
   code, and potentially compromise the entire Splunk environment, leading to data
   breaches and further system exploitation.
-search: '`splunk_python` request_path="/en-US/app/search/C:\\Program" *strings* |
+search: '`splunk_python` request_path="/*/app/search/C:\\Program" *strings* |
   rex "request_path=(?<file_path>[^\"]+)" | rex field=file_path "[^\"]+/(?<file_name>[^\"\''\s/\\\\]+)"
   | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path
   values(file_name) as file_name by index, sourcetype, host | `security_content_ctime(firstTime)`

@@ -0,0 +1,60 @@
+name: Splunk Information Disclosure on Account Login
+id: 2bae5d19-6d1b-4db0-82ab-0af5ac5f836c
+version: 1
+date: '2024-07-01'
+author: Rod Soto
+status: production
+type: Hunting
+data_source:
+- Splunk
+description: This is a composed hunting search that looks for possible user enumeration attempts when SAML is enabled on a Splunk instance by capturing different responses from server. 
+search: '`splunkd` component=UiAuth status=failure action=login TcpChannelThread 
+  | stats count min(_time) as firstTime max(_time) as lastTime by user status action clientip 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `splunk_information_disclosure_on_account_login_filter`'
+how_to_implement: Requires access to internal indexes _internal.
+known_false_positives: This is a hunting search and requires operator to search for large number of login failures from several users indicating possible user enumeration attempts. May capture genuine login failures. 
+references:
+- https://advisory.splunk.com/SVD-2024-0716
+cve:
+- CVE-2024-36996
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 50
+  impact: 10
+  kill_chain_phases:
+  - Exploitation
+  message: Possible user enumeration attack against $clientip$
+  mitre_attack_id:
+  - T1087
+  nist:
+  - DE.CM
+  observable:
+  - name: clientip
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  required_fields:
+  - user
+  - action
+  - status 
+  - clientip 
+  - host 
+  risk_score: 5
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log
+    source: /opt/splunk/var/log/splunk/splunkd.log
+    sourcetype: splunkd
+    custom_index: _internal 
@@ -0,0 +1,57 @@
+name: Splunk RCE PDFgen Render
+id: bc2b7437-0400-438b-9537-21ab5b7d2d53
+version: 1
+date: '2024-07-01'
+status: production
+author: Rod Soto, Chase Franklin
+type: TTP
+data_source:
+- Splunk
+description: This is a hunting search designed to find and discover exploitation attempts against Splunk pdfgen render endpoint which results in remote 
+search: 'index=_internal sourcetype=splunk_pdfgen _raw IN ("*base64*", "*lambda*", "*system*")
+  | stats count min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host, _raw
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `splunk_rce_pdfgen_render_filter`'
+how_to_implement: Requires access to internal indexes. 
+known_false_positives: This search will hunt for exploitation attempts against Splunk PDFgen render function, and not all requests are necesarily malicious so there will be false positives. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0701
+cve:
+- CVE-2024-36982
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 100
+  impact: 80
+  kill_chain_phases:
+  - Exploitation
+  message: Possible exploitation against $host$
+  mitre_attack_id:
+  - T1210
+  nist:
+  - DE.CM
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  required_fields:
+  - host
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log
+    source: /opt/splunk/var/log/splunk/pdfgen.log
+    sourcetype: splunk_pdfgen
+    custom_index: _internal
+
@@ -0,0 +1,56 @@
+name: Splunk RCE via External Lookup Copybuckets
+id: 8598f9de-bba8-42a4-8ef0-12e1adda4131
+version: 1
+date: '2024-07-01'
+status: production
+author: Rod Soto, Chase Franklin
+type: Hunting
+data_source:
+- Splunk
+description: The following detection provides the ability to detect remote code execution attempts against a script named copybuckets present within the splunk_archiver application by calling this script as an external lookup.
+search: 'index=_internal sourcetype="splunk_archiver-too_small" *.csv
+  | rex field=_raw "Invoking command:\s(?<command>.*)" 
+  | stats min(_time) as firstTime max(_time) as lastTime values(command) as command values(severity) as severity by host
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `splunk_rce_via_external_lookup_copybuckets_filter`'
+how_to_implement: Requires access to internal indexes
+known_false_positives: An operator must identify elements indicatives of command execution requests by looking at regex data being extracted from the log. Not all the requests will be malicious. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0705
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: Splunk Server
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 100
+  impact: 80
+  kill_chain_phases:
+  - Exploitation
+  message: Possible exploitation attempt against $host$
+  mitre_attack_id:
+  - T1210
+  nist:
+  - DE.CM
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  required_fields:
+  - host
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log
+    source: /opt/splunk/var/log/splunk/splunk_archiver.log
+    sourcetype: splunk_archiver-too_small
+    update_timestamp: true
+    custom_index: _internal
@@ -1,7 +1,7 @@
 name: Splunk risky Command Abuse disclosed february 2023
 id: ee69374a-d27e-4136-adac-956a96ff60fd
-version: 3
-date: '2024-05-05'
+version: 4
+date: '2024-07-01'
 author: Chase Franklin, Rod Soto, Eric McGinnis, Splunk
 status: production
 type: Hunting
@@ -26,7 +26,7 @@ search: '| tstats fillnull_value="N/A" count min(_time) as firstTime max(_time)
 how_to_implement: Requires implementation of Splunk_Audit.Search_Activity datamodel.
 known_false_positives: This search encompasses many commands.
 references:
-- https://www.splunk.com/en_us/product-security.html
+- https://advisory.splunk.com/advisories
 tags:
   analytic_story:
   - Splunk Vulnerabilities
@@ -43,6 +43,7 @@ tags:
   - CVE-2023-40598
   - CVE-2023-46214
   - CVE-2024-23676
+  - CVE-2024-36984
   impact: 50
   message: Use of risky splunk command $splunk_risky_command$ detected by $user$
   mitre_attack_id:

@@ -0,0 +1,57 @@
+name: Splunk Stored XSS conf-web Settings on Premises
+id: ed1209ef-228d-4dab-9856-be9369925a5c
+version: 1
+date: '2024-07-01'
+author: Rod Soto, Chase Franklin
+status: production
+type: Hunting
+data_source:
+- Splunk
+description: This hunting detection provides information on exploitation of stored XSS against /configs/conf-web/settings by an admin level user. 
+search: '`splunk_python` *script* *eval* 
+  | stats min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `splunk_stored_xss_conf_web_settings_on_premises_filter`'
+how_to_implement: Requires access to internal indexes.
+known_false_positives: This is a hunting search and will produce false positives, operator must identify XSS elemetns in the splunk_python log related to the vulnerable endpoint. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0717
+cve:
+- CVE-2024-36987
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server
+  cis20:
+  - CIS 3
+  - CIS 5
+  - CIS 16
+  confidence: 100
+  impact: 20
+  kill_chain_phases:
+  - Exploitation
+  message: Possible XSS attack against $host$
+  mitre_attack_id:
+  - T1189
+  nist:
+  - DE.CM
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  required_fields:
+  - UPDATE
+  risk_score: 20
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log
+    source: /opt/splunk/var/log/splunk/python.log
+    sourcetype: splunk_python
+    custom_index: _internal
+