CVE-2022-82889

rules/web/web_cve_2022_42889_text4shell_exploit.yml

@@ -0,0 +1,27 @@
+title: Text4Shell Exploit CVE-2022-42889
+id: 85d466b0-d74c-4514-84d3-2bdd3327588b
+status: experimental
+description: Detects exploitation attempts for Apache Common Text Library
+references:
+    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
+author: Harjot Singh, "@cyb3rjy0t"
+date: 2023/01/16
+tags:
+    - attack.t1190
+    - attack.initial_access
+    - cve.2022.42889
+logsource:
+    category: webserver
+detection:
+    selection1:
+        cs-uri-query|contains|all:
+            - 'getRuntime%28%29'
+            - 'exec%28'
+    selection2:
+        cs-uri-query|contains|all: 
+            - 'getRuntime()'
+            - 'exec('  
+    condition: selection1 OR selection2
+falsepositives:
+    - Unknown
+level: high