security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml
T
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2024-01-01 09:00:51 +01:00

25 lines
872 B
YAML
Raw Blame History

title: Potential JNDI Injection Exploitation In JVM Based Application
id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
status: test
description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
- https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
author: Moti Harmats
date: 2023/02/11
tags:
- attack.initial_access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'com.sun.jndi.ldap.'
- 'org.apache.logging.log4j.core.net.JndiManager'
condition: keywords
falsepositives:
- Application bugs
level: high
Reference in New Issue View Git Blame Copy Permalink