security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious JAR Child Process (#1657)

Browse Source 
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
This commit is contained in:
Samirbous
2021-12-11 02:04:35 +01:00
committed by GitHub
parent d4e06beee6
commit 410d4e5929
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/execution_suspicious_jar_child_process.toml
+10 -9
View File
@@ -1,19 +1,24 @@
[metadata]
creation_date = "2021/01/19"
maturity = "production"
updated_date = "2021/08/03"
updated_date = "2021/12/10"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious child processes of a Java Archive (JAR) file. JAR files may be used to deliver malware in order to
evade detection.
Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious
JAR file or an exploitation attempt via a JAVA specific vulnerability.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious JAR Child Process"
name = "Suspicious JAVA Child Process"
references = [
"https://www.lunasec.io/docs/blog/log4j-zero-day/",
"https://github.com/christophetd/log4shell-vulnerable-app",
"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
]
risk_score = 47
rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
severity = "medium"
@@ -24,11 +29,7 @@ type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.parent.name : "java" and
process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") and
process.args : "-jar" and process.args : "*.jar" and
/* Add any FP's here */
not process.executable : ("/Users/*/.sdkman/*", "/Library/Java/JavaVirtualMachines/*") and
not process.args : ("/usr/local/*", "/Users/*/github.com/*", "/Users/*/src/*")
process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget")
'''