-
Notifications
You must be signed in to change notification settings - Fork 392
/
Copy pathspring4shell_payload_url_request.yml
74 lines (74 loc) · 3.33 KB
/
spring4shell_payload_url_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Spring4Shell Payload URL Request
id: 9d44d649-7d67-4559-95c1-8022ff49420b
version: 5
date: '2025-02-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects attempts to exploit the Spring4Shell vulnerability
(CVE-2022-22963) by identifying specific URL patterns associated with web shell
payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs
containing indicators like "tomcatwar.jsp," "poc.jsp," and "shell.jsp." This activity
is significant as it suggests an attacker is trying to deploy a web shell, which
can lead to remote code execution. If confirmed malicious, this could allow the
attacker to gain persistent access, execute arbitrary commands, and potentially
escalate privileges within the compromised environment.
data_source:
- Nginx Access
search: '| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url
IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method,
Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on Web traffic that include fields relavent for traffic into the `Web` datamodel.
known_false_positives: The jsp file names are static names used in current proof of
concept code. =
references:
- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/
- https://github.com/TheGejr/SpringShell
- https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A URL was requested related to Spring4Shell POC code on $dest$ by $src$.
risk_objects:
- field: dest
type: system
score: 36
threat_objects:
- field: src
type: ip_address
tags:
analytic_story:
- Spring4Shell CVE-2022-22965
asset_type: Web Server
cve:
- CVE-2022-22965
mitre_attack_id:
- T1133
- T1190
- T1505.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log
source: /var/log/nginx/access.log
sourcetype: nginx:plus:kv