From 8da1502e5d93f0139da2a1304ab9291286438a32 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 11 Aug 2022 13:20:40 +0200 Subject: [PATCH 1/2] Update proc_creation_win_vul_java_remote_debugging.yml For Java Running with Remote Debugging, add filtering to vulnerable jvm versions. Later jvm versions limit remote debugging access to localhost by default. --- ...creation_win_vul_java_remote_debugging.yml | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index aacaaae88..c37d909a3 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -3,18 +3,38 @@ id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 status: test description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth +references: + - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp date: 2019/01/16 modified: 2021/11/27 logsource: category: process_creation product: windows detection: - selection: + selection_jdwp_transport: CommandLine|contains: 'transport=dt_socket,address=' + selection_old_jvm_version: + CommandLine|contains: + - jre1.8 + - jre1.7 + - jre1.6 + - jre1.5 + - jre1.4 + - jre1.3 + - jre1.2 + - jre1.1 + - jdk1.8 + - jdk1.7 + - jdk1.6 + - jdk1.5 + - jdk1.4 + - jdk1.3 + - jdk1.2 + - jdk1.1 exclusion: - CommandLine|contains: 'address=127.0.0.1' - CommandLine|contains: 'address=localhost' - condition: selection and not exclusion + condition: all of selection* and not exclusion fields: - CommandLine - ParentCommandLine From 41d79d4d1be93d1a62ada42eef2d1a8b91182738 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 11 Aug 2022 13:29:15 +0200 Subject: [PATCH 2/2] Update proc_creation_win_vul_java_remote_debugging.yml simplified rule --- ..._creation_win_vul_java_remote_debugging.yml | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index c37d909a3..fb22b7b7d 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -15,22 +15,8 @@ detection: CommandLine|contains: 'transport=dt_socket,address=' selection_old_jvm_version: CommandLine|contains: - - jre1.8 - - jre1.7 - - jre1.6 - - jre1.5 - - jre1.4 - - jre1.3 - - jre1.2 - - jre1.1 - - jdk1.8 - - jdk1.7 - - jdk1.6 - - jdk1.5 - - jdk1.4 - - jdk1.3 - - jdk1.2 - - jdk1.1 + - jre1. + - jdk1. exclusion: - CommandLine|contains: 'address=127.0.0.1' - CommandLine|contains: 'address=localhost'