Splunk Enterprise Windows RCE via Arbitrary File Write Detection Rule and SPL

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Type: RCE (Remote Code Execution) via arbitrary file write to Windows system root directory. - Affected Versions: Splunk Enterprise for Windows versions below 9.3.0, 9.2.3, and 9.1.6. - Exploitation: Low-privileged users can write files to the Windows system root directory (default location: C:\Windows\System32) without holding the "admin" or "power" Splunk roles. - Impact: Users may be able to upload and execute code due to insecure session storage configuration. 2. Search: - A search query written in Splunk’s SPL (Search Processing Language) is provided to detect malicious activity. - The search includes checking application creation events within a specific time range and analyzing whether these events are associated with potential RCE attacks. 3. Data Source: - Data source: Internal index of Splunk Enterprise. - Index type used: . 4. Macro Usage: - Two macros are used: and . - The latter is an empty macro designed to filter out potential false positives. 5. MITRE ATT&CK: - Attack stages involved: “Exploitation of Remote Services” and “Lateral Movement”. 6. Risk Assessment: - Risk Score: 45. - Impact: 90. - Confidence: 50. 7. Reference Links: - Official Splunk security advisory link. 8. Detection Testing: - Detection has passed validation, unit testing, and integration testing. 9. Version Information: - Version 1. This information provides a detailed description of the vulnerability, detection methods, risk assessment, and test results, aiding in understanding and responding to this security threat.

Goal Reached Thanks to every supporter — we hit 100%!

Splunk Enterprise Windows RCE via Arbitrary File Write Detection Rule and SPL