Tessa Georgen
60b8e9b70f
- update: update MITRE tags for multiple rules --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
title: JNDIExploit Pattern
|
|
id: 412d55bc-7737-4d25-9542-5b396867ce55
|
|
status: test
|
|
description: Detects exploitation attempt using the JNDI-Exploit-Kit
|
|
references:
|
|
- https://github.com/pimps/JNDI-Exploit-Kit
|
|
- https://githubmemory.com/repo/FunctFan/JNDIExploit
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2021/12/12
|
|
modified: 2022/12/25
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
keywords:
|
|
- '/Basic/Command/Base64/'
|
|
- '/Basic/ReverseShell/'
|
|
- '/Basic/TomcatMemshell'
|
|
- '/Basic/JettyMemshell'
|
|
- '/Basic/WeblogicMemshell'
|
|
- '/Basic/JBossMemshell'
|
|
- '/Basic/WebsphereMemshell'
|
|
- '/Basic/SpringMemshell'
|
|
- '/Deserialization/URLDNS/'
|
|
- '/Deserialization/CommonsCollections1/Dnslog/'
|
|
- '/Deserialization/CommonsCollections2/Command/Base64/'
|
|
- '/Deserialization/CommonsBeanutils1/ReverseShell/'
|
|
- '/Deserialization/Jre8u20/TomcatMemshell'
|
|
- '/TomcatBypass/Dnslog/'
|
|
- '/TomcatBypass/Command/'
|
|
- '/TomcatBypass/ReverseShell/'
|
|
- '/TomcatBypass/TomcatMemshell'
|
|
- '/TomcatBypass/SpringMemshell'
|
|
- '/GroovyBypass/Command/'
|
|
- '/WebsphereBypass/Upload/'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Legitimate apps the use these paths
|
|
level: high
|