Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
42 lines
1.4 KiB
YAML
42 lines
1.4 KiB
YAML
title: JNDIExploit Pattern
|
|
id: 412d55bc-7737-4d25-9542-5b396867ce55
|
|
status: test
|
|
description: Detects exploitation attempt using the JNDI-Exploit-Kit
|
|
references:
|
|
- https://github.com/pimps/JNDI-Exploit-Kit
|
|
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2021-12-12
|
|
modified: 2022-12-25
|
|
tags:
|
|
- attack.initial-access
|
|
- attack.t1190
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
keywords:
|
|
- '/Basic/Command/Base64/'
|
|
- '/Basic/ReverseShell/'
|
|
- '/Basic/TomcatMemshell'
|
|
- '/Basic/JettyMemshell'
|
|
- '/Basic/WeblogicMemshell'
|
|
- '/Basic/JBossMemshell'
|
|
- '/Basic/WebsphereMemshell'
|
|
- '/Basic/SpringMemshell'
|
|
- '/Deserialization/URLDNS/'
|
|
- '/Deserialization/CommonsCollections1/Dnslog/'
|
|
- '/Deserialization/CommonsCollections2/Command/Base64/'
|
|
- '/Deserialization/CommonsBeanutils1/ReverseShell/'
|
|
- '/Deserialization/Jre8u20/TomcatMemshell'
|
|
- '/TomcatBypass/Dnslog/'
|
|
- '/TomcatBypass/Command/'
|
|
- '/TomcatBypass/ReverseShell/'
|
|
- '/TomcatBypass/TomcatMemshell'
|
|
- '/TomcatBypass/SpringMemshell'
|
|
- '/GroovyBypass/Command/'
|
|
- '/WebsphereBypass/Upload/'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Legitimate apps the use these paths
|
|
level: high
|