From a27457715bae05c8a6cf23f46cb671fd506cfff6 Mon Sep 17 00:00:00 2001
From: cyb3rjy0t <cyberjyot@gmail.com>
Date: Mon, 16 Jan 2023 14:34:41 -0500
Subject: [PATCH] CVE-2022-82889

---
 .../web_cve_2022_42889_text4shell_exploit.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/web/web_cve_2022_42889_text4shell_exploit.yml

diff --git a/rules/web/web_cve_2022_42889_text4shell_exploit.yml b/rules/web/web_cve_2022_42889_text4shell_exploit.yml
new file mode 100644
index 000000000..8f0f38e29
--- /dev/null
+++ b/rules/web/web_cve_2022_42889_text4shell_exploit.yml
@@ -0,0 +1,27 @@
+title: Text4Shell Exploit CVE-2022-42889
+id: 85d466b0-d74c-4514-84d3-2bdd3327588b
+status: experimental
+description: Detects exploitation attempts for Apache Common Text Library
+references:
+    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
+author: Harjot Singh, "@cyb3rjy0t"
+date: 2023/01/16
+tags:
+    - attack.t1190
+    - attack.initial_access
+    - cve.2022.42889
+logsource:
+    category: webserver
+detection:
+    selection1:
+        cs-uri-query|contains|all:
+            - 'getRuntime%28%29'
+            - 'exec%28'
+    selection2:
+        cs-uri-query|contains|all: 
+            - 'getRuntime()'
+            - 'exec('  
+    condition: selection1 OR selection2
+falsepositives:
+    - Unknown
+level: high