⭐ SOC239 – Remote Code Execution Detected in Splunk Enterprise Walkthrough (EventID: 201)
Letsdefend Alert Walkthrough
Hi, I’m Ridesh — a Computer Engineering student on the path to becoming a SOC Analyst. I’m here to share my journey of learning cybersecurity, building projects, and improving my mindset while growing publicly. I’m passionate about cyber defense, psychology, philosophy, ancient wisdom, anime mindset lessons, and everything that builds mental strength. My goal is simple: Build a strong cybersecurity foundation, grow consistently, and connect with people who think like me. If you’re on a similar journey, you’re in the right place — let’s learn and grow together.
A Real SOC Investigation | LetsDefend Walkthrough
Today’s alert is a serious one: ⭐ SOC239 -Remote Code Execution Detected in Splunk Enterprise
Whenever “RCE” appears in an alert title, the severity immediately increases. Remote Code Execution means an attacker may be able to execute arbitrary commands on the target system.
Let’s break this down step by step.
🚨 Alert Overview
After opening the playbook, the trigger reason was clear:
Detected a malicious XSLT upload in Splunk Enterprise with the potential to trigger Remote Code Execution.
This is alarming because Splunk is a centralized logging and monitoring platform. If compromised, attackers could:
Manipulate logs
Hide activity
Execute commands
Pivot further into the network
🖥 Collected Alert Data
From the alert details:
Source IP: 180.101.88.240 (External – China)
Destination IP: 172.16.20.13
Hostname: Splunk Enterprise
HTTP Method: POST
Requested URL:
/en-US/splunkd/__upload/indexing/preview?output_mode=json&props.NO_BINARY_CHECK=1&input.path=shell.xslTrigger File Path:
/opt/splunk/var/run/splunk/dispatch/1700556926.3/shell.xsl
The request attempts to upload a file named shell.xsl.
That’s a major red flag.
🔎 Step 1 – Analyze HTTP Traffic
From the log management page, I inspected the HTTP request content.
The attacker uploaded an XSLT file. XSLT (Extensible Stylesheet Language Transformations) is normally used to transform XML data.
However, malicious XSLT files can:
Embed system commands
Trigger script execution
Enable remote code execution
This is commonly associated with:
🎯 XML Injection / XSLT-based RCE Exploitation
The attacker appears to be abusing Splunk’s upload functionality to execute malicious code.
🌍 Step 2 – Source IP Reputation Check
Next, I analyzed the source IP address: 180.101.88.240
Using threat intelligence tools (e.g., VirusTotal), I found:
Reports of hacking activity
Port scanning history
SSH brute-force attempts
Malicious reputation
The IP originates from China and has prior malicious reports.
Conclusion: The traffic is malicious.
🎯 Step 3 – Identify the Attack Type
Based on:
Malicious XSLT file upload
Suspicious endpoint (
__upload/indexing/preview)Evidence of command execution in logs
This activity aligns with:
Remote Code Execution (RCE) via XSLT Upload
The attacker likely exploited a vulnerability in Splunk Enterprise’s file upload mechanism to execute malicious code on the system.
📅 Step 4 – Was This a Planned Test?
After reviewing email security logs and internal activity:
No authorized testing was planned.
Planned Activity: No
🌐 Step 5 – Traffic Direction
From previous IP analysis:
Source: External public IP
Destination: Internal Splunk server
Traffic Direction: Internet → Company Network
This confirms an inbound external attack attempt.
💥 Step 6 – Was the Attack Successful?
The critical question:
Did the uploaded XSLT file execute?
By reviewing logs and terminal history on the Splunk host:
The malicious file was written to disk
Command execution activity was observed
This confirms successful exploitation.
⚠ Attack Status: Successful**
This significantly increases the severity of the incident because:
Splunk is a high-value asset
Log integrity could be compromised
Attackers could gain deeper network access
🔒 Step 7 – Containment Action
Since the attack was successful:
Immediate containment was required.
Action Taken: Host device contained
This prevents:
Further command execution
Lateral movement
Persistence mechanisms
Data tampering
⬆ Step 8 – Artifacts & Escalation to Tier 2
Given:
Confirmed RCE
Malicious external source
Compromise of a critical system
Tier 2 Escalation: Yes
A deeper forensic investigation is required to determine impact and persistence.
📝 Analyst Note (Summary)
Alert SOC239 was triggered due to detection of a malicious XSLT upload targeting Splunk Enterprise. Investigation revealed the source IP has a malicious reputation and the uploaded file was successfully written and executed. The incident was classified as a successful Remote Code Execution attack. The host was contained and the case escalated to Tier 2 for further analysis.
✅ Final Classification
Malicious Traffic: Yes
Attack Type: Remote Code Execution (XSLT-based)
Planned Activity: No
Traffic Direction: Internet → Company Network
Successful: Yes
Containment: Performed
Tier 2 Escalation: Yes
After closing the alert, all answers were validated as correct — confirming the investigation accuracy.
Lets Connect
If you found this walkthrough valuable and want to connect and expand your knowledge, let's connect. Here's my complete list of alerts with uploaded walkthroughs. Follow for more insights.
