-
Notifications
You must be signed in to change notification settings - Fork 391
/
Copy pathdetect_malicious_requests_to_exploit_jboss_servers.yml
44 lines (44 loc) · 2.02 KB
/
detect_malicious_requests_to_exploit_jboss_servers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Detect malicious requests to exploit JBoss servers
id: c8bff7a4-11ea-4416-a27d-c5bca472913d
version: 4
date: '2024-11-15'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic identifies malicious HTTP requests targeting the
jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded
payloads, by analyzing web server logs for GET or HEAD requests with specific URL
patterns and lengths. This activity is significant as it may indicate an attempt
to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code
execution. If confirmed malicious, attackers could gain control over the server,
escalate privileges, and compromise sensitive data, posing a severe threat to the
organization's security.
data_source: []
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD")
by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*"
AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime,
lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`'
how_to_implement: You must ingest data from the web server or capture network data
that contains web specific information with solutions such as Bro or Splunk Stream,
and populating the Web data model
known_false_positives: No known false positives for this detection.
references: []
rba:
message: Potentially malicious traffic exploiting JBoss servers
risk_objects:
- field: dest_ip
type: system
score: 25
threat_objects: []
tags:
analytic_story:
- JBoss Vulnerability
- SamSam Ransomware
asset_type: Web Server
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network