Posted by

LetsDefend: SOC239 - Remote Code Execution Detected in Splunk Enterprise





Welcome back to the blog, another new challenge for us to take on so let's get straight to business. Today we will investigate a remote code injection alert.













The _upload and preview endpoints can be exploited in local file inclusion (LFI) or arbitrary file upload attacks.









Hostname check in Email Security:



IP check in Email Security:



Source IP check in Endpoint Security:





Since we did not find the source IP it does not belong too our network.













We have to contain the endpoint device because the attack was successful.





Since the attack was successful.














The attack was an xml attack, we were quite close though. The important thing is we diagnosed the alert as a true positive and it was escalated to tier 2.

Welcome to Vusi Cyber Party — the digital frontline starts here. This is where cyber threats are hunted, alerts are cracked open, and digital peace is defended. Let’s light up the console and keep the chaos in check.

Comments

Post a Comment