/
detect_malicious_requests_to_exploit_jboss_servers.yml
48 lines (48 loc) · 1.69 KB
/
detect_malicious_requests_to_exploit_jboss_servers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Detect malicious requests to exploit JBoss servers
id: c8bff7a4-11ea-4416-a27d-c5bca472913d
version: 1
date: '2017-09-23'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: This search is used to detect malicious HTTP requests crafted to exploit
jmx-console in JBoss servers. The malicious requests have a long URL length, as
the payload is embedded in the URL.
data_source: []
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD")
by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*"
AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime,
lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`'
how_to_implement: You must ingest data from the web server or capture network data
that contains web specific information with solutions such as Bro or Splunk Stream,
and populating the Web data model
known_false_positives: No known false positives for this detection.
references: []
tags:
analytic_story:
- JBoss Vulnerability
- SamSam Ransomware
asset_type: Web Server
confidence: 50
impact: 50
message: tbd
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Web.http_method
- Web.url
- Web.url_length
- Web.src
- Web.dest
risk_score: 25
security_domain: network