
Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts
Elastic Detection Rules
View SourceSummary
This rule detects exploitation artifacts for CVE-2026-20253 targeting Splunk Enterprise PostgreSQL sidecar recovery endpoints. It leverages two primary telemetry streams: (1) body-injection signals in HTTP POST requests to recovery endpoints containing PostgreSQL connection-string keywords (hostaddr, host, port, user, password, sslmode, service), backupFile path traversal, absolute filesystem targets (e.g., /tmp, /var/tmp, /dev/shm, /opt/splunk/etc/apps/), cron paths, or SSH authorized_keys, and cases where the database field is used as a connection string passed to pg_dump/pg_restore; (2) authentication artifacts observed via Zeek where an empty HTTP Basic auth password is sent, allowing attacker-supplied usernames to be fed to pg_dump/pg_restore. The rule also flags probes that trigger vulnerable endpoint behavior, evidenced by HTTP 400 responses to /v1/postgres/recovery/backup or /v1/postgres/recovery/restore. Telemetry sources include endpoint network events, network-traffic HTTP with body capture, Zeek, Suricata, Azure Application Gateway, and GCP load balancer logs. MITRE ATT&CK mapping points to T1190 (Exploit Public-Facing Application) under Initial Access. Triaging guidance covers correlating 400 responses with the presence of injection artifacts, tracing outbound PostgreSQL connections to attacker-controlled ports, validating file placements under /opt/splunk/etc/apps, /tmp, or similar paths, and confirming Splunk version exposure (noting Splunk Enterprise 10.0.x–10.0.6 and 10.2.x–10.2.3 as affected). False positives are unlikely for legitimate Splunk activity, given the specificity of the injection and filesystem targets. The rule provides a high-severity signal for active exploitation attempts and directs immediate containment and patching actions if confirmed.
Categories
- Network
- Endpoint
- Cloud
- Web
- Database
Data Sources
- Network Traffic
- Application Log
- File
ATT&CK Techniques
- T1190
Created: 2026-06-15