/
spring4shell_payload_url_request.yml
69 lines (69 loc) · 2.45 KB
/
spring4shell_payload_url_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Spring4Shell Payload URL Request
id: 9d44d649-7d67-4559-95c1-8022ff49420b
version: 1
date: '2022-07-12'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic is static indicators related to CVE-2022-22963,
Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping
to exploit a web shell on the destination. The filename and cmd are arbitrary in
this exploitation. Java will write a JSP to disk and a process will spawn from Java
based on the cmd passed. This is indicative of typical web shell activity.
data_source:
- Nginx Access
search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url
IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method,
Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on Web traffic that include fields relavent for traffic into the `Web` datamodel.
known_false_positives: The jsp file names are static names used in current proof of
concept code. =
references:
- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/
- https://github.com/TheGejr/SpringShell
- https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability
tags:
analytic_story:
- Spring4Shell CVE-2022-22965
asset_type: Web Server
confidence: 60
cve:
- CVE-2022-22965
impact: 60
message: A URL was requested related to Spring4Shell POC code on $dest$ by $src$.
mitre_attack_id:
- T1505.003
- T1505
- T1190
- T1133
observable:
- name: dest
type: IP Address
role:
- Victim
- name: src
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Web.http_method
- Web.url
- Web.url_length
- Web.src
- Web.dest
- Web.http_user_agent
risk_score: 36
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log
source: /var/log/nginx/access.log
sourcetype: nginx:plus:kv