Merge pull request #2918 from splunk/gitlab_release_v4.16.1

Gitlab release v4.16.1

Author: patel-bhavin

contentctl

@@ -7,9 +7,7 @@ status: experimental
 type: Hunting
 data_source: []
 description: This search provides information to investigate possible remote code execution exploitation via 
-  user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. 
-  Exploitation of this vulnerability by attackers requires that the Splunk App for Lookup File Editing 
-  is, or was, installed.
+  user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x.
 search: '| rest splunk_server=local /services/data/lookup-table-files/ 
   | fields title author disabled eai:acl.app eai:acl.owner eai:acl.sharing eai:appName eai:data 
   | `splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter`'
@@ -22,7 +20,7 @@ known_false_positives: This search will provide information for investigation an
   user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is 
   not possible to detect the payload executed via this exploit. 
 references:
-  - https://advisory.splunk.com/advisories 
+  - https://advisory.splunk.com/advisories/SVD-2023-1104 
 cve: 
   - CVE-2023-46214
 tags:

detections/application/splunk_app_for_lookup_file_editing_rce_via_user_xslt.yml

@@ -0,0 +1,63 @@
+name: Splunk RCE via User XSLT
+id: 6cb7e011-55fb-48e3-a98d-164fa854e37e
+version: 1
+date: '2023-11-22'
+author: Marissa Bower, Chase Franklin, Rod Soto, Bhavin Patel, Eric McGinnis, Splunk
+status: production
+type: Hunting
+data_source: []
+description: This search provides information to investigate possible remote code execution exploitation via 
+  user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. 
+search: '`splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR uri="*dispatch*.xsl*") AND uri!= "*splunkd_ui*"
+  | rex field=uri "(?<string>=\s*([\S\s]+))" 
+  | eval decoded_field=urldecode(string) 
+  | eval action=case(match(status,"200"),"Allowed",match(status,"303|500|401|403|404|301|406"),"Blocked",1=1,"Unknown") 
+  | stats count min(_time) as firstTime max(_time) as lastTime by clientip useragent uri decoded_field action host 
+  | rename clientip as src, uri as dest_uri 
+  | iplocation src 
+  | fillnull value="N/A" 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field'
+how_to_implement: This detection does not require you to ingest any new data. The detection does 
+  require the ability to search the _internal index.
+known_false_positives: This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. 
+  There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible
+  for creating the requests.
+references:
+  - https://advisory.splunk.com/advisories/SVD-2023-1104
+cve: 
+  - CVE-2023-46214
+tags:
+  analytic_story:
+    - Splunk Vulnerabilities
+  asset_type: endpoint
+  confidence: 80
+  impact: 80
+  message: Potential Remote Code Execution via XLST from $src$ using useragent - $useragent$
+  mitre_attack_id:
+    - T1210
+  observable:
+    - name: src
+      type: IP Address
+      role:
+        - Attacker
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  risk_score: 64
+  required_fields:
+    - uri
+    - clientip
+    - useragent
+    - action
+    - host
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_user_xslt_splunkd_ui_access.log
+    source: /opt/splunk/var/log/splunk/splunkd_ui_access.log
+    sourcetype: splunkd_ui_access
+    custom_index: _internal

detections/application/splunk_rce_via_user_xslt.yml

@@ -36,6 +36,7 @@ tags:
   - CVE-2023-22940
   - CVE-2023-40598
   - CVE-2023-40598
+  - CVE-2023-46214
   impact: 50
   message: Use of risky splunk command $splunk_risky_command$ detected by $user$
   mitre_attack_id:

detections/application/splunk_risky_command_abuse_disclosed_february_2023.yml

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T22:15:55 UTC
+# On Date: 2023-11-22T22:53:13 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -309,7 +309,7 @@ providing_technologies = null
 type = detection
 asset_type = endpoint
 confidence = medium
-explanation = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x. Exploitation of this vulnerability by attackers requires that the Splunk App for Lookup File Editing is, or was, installed.
+explanation = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x.
 how_to_implement = Because there is no way to detect the payload, this search only provides the ability to monitor the creation of lookups which are the base of this exploit. An operator must then investigate suspicious lookups. This search requires ability to perform REST queries. Note that if the Splunk App for Lookup File Editing is not, or was not, installed in the Splunk environment then it is not necessary to run the search as the enviornment was not vulnerable.
 annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]}
 known_false_positives = This search will provide information for investigation and hunting of lookup creation via user-supplied XSLT which may be indications of possible exploitation. There will be false positives as it is not possible to detect the payload executed via this exploit.
@@ -595,6 +595,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitr
 known_false_positives = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point.
 providing_technologies = null
 
+[savedsearch://ESCU - Splunk RCE via User XSLT - Rule]
+type = detection
+asset_type = endpoint
+confidence = medium
+explanation = This search provides information to investigate possible remote code execution exploitation via user-supplied Extensible Stylesheet Language Transformations (XSLT), affecting Splunk versions 9.1.x.
+how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.
+annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1210"], "nist": ["DE.AE"]}
+known_false_positives = This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. There may be false positives and results should individually evaluated. Please evaluate the source IP and useragent responsible for creating the requests.
+providing_technologies = null
+
 [savedsearch://ESCU - Splunk Reflected XSS in the templates lists radio - Rule]
 type = detection
 asset_type = Endpoint
@@ -16511,7 +16521,7 @@ version = 1
 references = ["https://www.splunk.com/en_us/product-security/announcements.html"]
 maintainers = [{"company": "Splunk", "email": "-", "name": "Lou Stella"}]
 spec_version = 3
-searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"]
+searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"]
 description = Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.
 narrative = This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.
 

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T22:15:55 UTC
+# On Date: 2023-11-22T22:53:13 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20231116221053
+build = 20231122225106
 
 [triggers]
 reload.analytic_stories = simple

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T22:15:55 UTC
+# On Date: 2023-11-22T22:53:13 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T22:15:55 UTC
+# On Date: 2023-11-22T22:53:13 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T22:15:55 UTC
+# On Date: 2023-11-22T22:53:13 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T22:15:55 UTC
+# On Date: 2023-11-22T22:53:13 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -233,6 +233,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[splunk_rce_via_user_xslt_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [splunk_reflected_xss_in_the_templates_lists_radio_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.