security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

24 lines
750 B
YAML
Raw Blame History

title: .Class Extension URI Ending Request
id: 53c15703-b04c-42bb-9055-1937ddfb3392
status: test
description: |
Detects requests to URI ending with the ".class" extension in proxy logs.
This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-21
modified: 2024-02-26
tags:
- attack.initial-access
- detection.threat-hunting
logsource:
category: proxy
detection:
selection:
c-uri|endswith: '.class'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink