[New Rule] Splunk Enterprise PostgreSQL Sidecar Pre-Auth RCE (CVE-2026-20253)#6279
[New Rule] Splunk Enterprise PostgreSQL Sidecar Pre-Auth RCE (CVE-2026-20253)#6279eric-forte-elastic wants to merge 13 commits into
Conversation
eric-forte-elastic
added
Domain: Network
Rule: New
|
⛔️ Test failed Results
|
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Pull request overview
Adds two new network-focused detection rules to identify exploitation and exploitation artifacts for Splunk Enterprise PostgreSQL sidecar pre-auth RCE (CVE-2026-20253) across common HTTP telemetry sources (Elastic Agent network_traffic, Zeek, Suricata, plus select proxy/WAF logs).
Changes:
- Adds a KQL (query) rule to detect recovery endpoint probing, empty-password Basic auth artifacts (Zeek), and request-body injection indicators (where body logging is available).
- Adds an ES|QL correlation rule intended to detect a backup→restore exploitation sequence from the same client to the same Splunk host within 15 minutes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| rules/network/initial_access_splunk_postgres_recovery_body_injection.toml | New single-event artifact/probing rule for CVE-2026-20253 recovery endpoint abuse, with investigation guide + setup guidance. |
| rules/network/initial_access_splunk_postgres_backup_restore_rce_sequence.toml | New ES |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
| http.request.method:POST and | ||
| url.path:("*splunkd/__raw/v1/postgres/recovery/*" or "/v1/postgres/recovery/*") and | ||
| ( | ||
| http.request.body.content:( |
There was a problem hiding this comment.
To get body content, you need advanced NPC settings, I believe? If I'm correct, maybe add these instructions to the setup guide.
There was a problem hiding this comment.
Also, won't some of this be blocked from usage through TLS?
There was a problem hiding this comment.
For the TLS part we do make note of that, it depends on where the TLS occurs and where the sensor is located. This path is largely optional for detection, but is high fidelity if you do have your network setup this way, the other paths do not require TLS decryption nor body content.
For TLS deployments, the sensor must observe decrypted HTTP, sit downstream of TLS termination, or use
proxy or load balancer logs that expose the HTTP path, method, and status code.
As an example, some deployments would not have Splunk run with https, but have nginx or a proxy wrap the connection in TLS. In these cases, if your sensor is on the host or inside of network prior to nginx you would then not need TLS decryption.
For the body content for Endpoint's Network Traffic Integration, you generally would just need to update the config to include it (optionally given this is an optional path for higher fidelity). (ref) which we also reference:
Network Packet Capture (
logs-network_traffic.http*) with HTTP body capture enabled for the
Splunk recovery paths
Happy to add more detail, but the steps are to add the recovery paths to the monitored body parsing setting in the integration.
Does this address what you are referencing? Or would you prefer if we add more detail? Thanks!
| suppressing the rule entirely. | ||
| """, | ||
| ] | ||
| from = "now-20m" |
There was a problem hiding this comment.
maybe add interval of 19m here to reduce duplicates? or just add alert suppression.
I assume if RCE remotely, internet wide scanning volume may be high?
There was a problem hiding this comment.
Yes, the internet wide scanning would be high and to address that we are not including firewall logs here.
The expected deployment for network_traffic, zeek, and suricata sensors would be inside the firewall rather than running packet capture on external traffic. Doing so would create a tremendous amount of noise in general. In an environment where a customer is already doing this, they would already expect high levels of noise. In which case they may want to have this rule on external traffic despite the noise.
|
⛔️ Test failed Results
|
Pull Request
Issue link(s):
Summary - What I changed
Adds two complementary network detection rules covering active exploitation of CVE-2026-20253, a pre-authentication RCE in the Splunk Enterprise PostgreSQL sidecar recovery endpoints (
*splunkd/__raw/v1/postgres/recovery/*and/v1/postgres/recovery/*) disclosed by watchTowr. The recovery endpoints pass the request'sdatabaseJSON field directly topg_dump/pg_restoreas a PostgreSQL connection string and thebackupFilefield as the dump path, so an unauthenticated attacker can inject connection-string keywords and traverse the filesystem to create or overwrite files and achieve code execution on the Splunk host. Affected versions are Splunk Enterprise 10.0.0-10.0.6 and 10.2.0-10.2.3 (fixed in 10.0.7 and 10.2.4); 10.4.0+ and Splunk Cloud are not affected.Backup-to-Restore Potential RCE Sequence (
esql): A behavioral sequence rule that fires when the same source IP sends a POST to both the/backupand/restorerecovery endpoints on the same Splunk host within a 15-minute window. This is the two-stage watchTowr chain: first stage the attacker-controlled dump, then load and execute it. The rule supports Elastic Agent Network Packet Capture (logs-network_traffic.http*), Zeek (logs-zeek.http*), and Suricata (logs-suricata.eve*) where HTTP path, method, and response metadata are visible to the sensor.Recovery Endpoint Injection Artifacts (
query/kuery): A single-event rule with body, auth, and probing branches. Where endpoint, Network Packet Capture, WAF, or reverse-proxy request-body logging is available, it matches PostgreSQL connection-string injection keywords (hostaddr=,host=,port=,passfile=,dbname=,user=,password=,sslmode=,service=), suspiciousbackupFiledestinations (/tmp/,/var/tmp/,/dev/shm/,/opt/splunk/etc/apps/, cron paths, SSH paths), and known filesystem artifacts (.pgpass,/opt/splunk/etc/apps/) in the request body. Where Zeek HTTP logging is available, it matches the empty-password HTTP Basic auth artifact (url.password : "") used by published PoC tooling; this branch is gated ondata_stream.dataset : zeek.httpso non-Zeek sources cannot reach it. The rule also detects vulnerable endpoint probing when POST requests to/backupor/restorereturn HTTP 400, scoped to datasets that expose the required response metadata:network_traffic.http,zeek.http,suricata.eve,azure.application_gateway, andgcp.loadbalancing_logs.How To Test
Data in shared stack, RTAs and unit tests.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist