/
web_jsp_request_via_url.yml
70 lines (70 loc) · 2.45 KB
/
web_jsp_request_via_url.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Web JSP Request via URL
id: 2850c734-2d44-4431-8139-1a56f6f54c01
version: 1
date: '2022-04-05'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic identifies the common URL requests used by a recent
CVE - CVE-2022-22965, or Spring4Shell, to access a webshell on the remote webserver.
The filename and cmd are arbitrary in this exploitation. Java will write a JSP to
disk and a process will spawn from Java based on the cmd passed. This is indicative
of typical web shell activity.
data_source:
- Nginx Access
search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url
IN ("*.jsp?cmd=*","*j&cmd=*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length
Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `web_jsp_request_via_url_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on Web traffic that include fields relavent for traffic into the `Web` datamodel.
known_false_positives: False positives may be present with legitimate applications.
Attempt to filter by dest IP or use Asset groups to restrict to servers.
references:
- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/
- https://github.com/TheGejr/SpringShell
- https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability
tags:
analytic_story:
- Spring4Shell CVE-2022-22965
asset_type: Web Server
confidence: 80
cve:
- CVE-2022-22965
impact: 90
message: A suspicious URL has been requested against $dest$ by $src$, related to
web shell activity.
mitre_attack_id:
- T1505.003
- T1505
- T1190
- T1133
observable:
- name: dest
type: Hostname
role:
- Victim
- name: src
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Web.http_method
- Web.url
- Web.url_length
- Web.src
- Web.dest
- Web.http_user_agent
risk_score: 72
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log
source: /var/log/nginx/access.log
sourcetype: nginx:plus:kv