Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence

Last updated 8 days ago on 2026-06-24
Created 17 days ago on 2026-06-15

About

Detects a POST to the Splunk Enterprise PostgreSQL backup endpoint followed by a POST to the restore endpoint from the same client to the same host within a 15-minute window. This sequence is unusual and can align with the public CVE-2026-20253 pre-authentication RCE chain, where an attacker stages a database dump via the backup path and executes attacker-controlled SQL via the restore path.
Tags
Domain: NetworkUse Case: Threat DetectionUse Case: VulnerabilityUse Case: Network Security MonitoringTactic: Initial AccessData Source: Network Packet CaptureData Source: Network TrafficData Source: ZeekData Source: SuricataLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

False Positive Examples
Legitimate PostgreSQL recovery operations performed by Splunk administrators through the backup and restore API. These should be rare and originate from known management networks. If such operations occur in your environment, scope exceptions by source IP or approved management network rather than suppressing the rule entirely.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

network_traffic(external, opens in a new tab or window)

zeek(external, opens in a new tab or window)

suricata(external, opens in a new tab or window)

Query
text code block:
from logs-network_traffic.http*, logs-zeek.http*, logs-suricata.eve* | where http.request.method == "POST" and ( url.path like "*splunkd/__raw/v1/postgres/recovery/*" or url.path like "/v1/postgres/recovery/*" ) | eval Esql.is_backup = case(url.path like "*/backup", 1, 0) | eval Esql.is_restore = case(url.path like "*/restore", 1, 0) | stats Esql.backup_count = SUM(Esql.is_backup), Esql.restore_count = SUM(Esql.is_restore), Esql.first_seen = MIN(@timestamp), Esql.last_seen = MAX(@timestamp), Esql.statuses = VALUES(http.response.status_code) by source.ip, destination.ip | eval Esql.duration_minutes = DATE_DIFF("minute", Esql.first_seen, Esql.last_seen) | where Esql.backup_count >= 1 and Esql.restore_count >= 1 and Esql.duration_minutes <= 15 | keep source.ip, destination.ip, Esql.*

Install detection rules in Elastic Security

Detect Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).