Florian Roth
38 lines
1.2 KiB
YAML
38 lines
1.2 KiB
YAML
title: JNDIExploit Pattern
|
|
id: 412d55bc-7737-4d25-9542-5b396867ce55
|
|
status: experimental
|
|
description: Detects exploitation attempt using the JDNIExploiit Kit
|
|
author: Florian Roth
|
|
date: 2021/12/12
|
|
references:
|
|
- https://github.com/pimps/JNDI-Exploit-Kit
|
|
- https://githubmemory.com/repo/FunctFan/JNDIExploit
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
keywords:
|
|
- '/Basic/Command/Base64/'
|
|
- '/Basic/ReverseShell/'
|
|
- '/Basic/TomcatMemshell'
|
|
- '/Basic/JettyMemshell'
|
|
- '/Basic/WeblogicMemshell'
|
|
- '/Basic/JBossMemshell'
|
|
- '/Basic/WebsphereMemshell'
|
|
- '/Basic/SpringMemshell'
|
|
- '/Deserialization/URLDNS/'
|
|
- '/Deserialization/CommonsCollections1/Dnslog/'
|
|
- '/Deserialization/CommonsCollections2/Command/Base64/'
|
|
- '/Deserialization/CommonsBeanutils1/ReverseShell/'
|
|
- '/Deserialization/Jre8u20/TomcatMemshell'
|
|
- '/TomcatBypass/Dnslog/'
|
|
- '/TomcatBypass/Command/'
|
|
- '/TomcatBypass/ReverseShell/'
|
|
- '/TomcatBypass/TomcatMemshell'
|
|
- '/TomcatBypass/SpringMemshell'
|
|
- '/GroovyBypass/Command/'
|
|
- '/WebsphereBypass/Upload/'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Legitimate apps the use these paths
|
|
level: high
|