Potential JAVA/JNDI Exploitation Attempt
Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/12/10"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child
11processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection
12vulnerability.
13"""
14from = "now-9m"
15index = ["auditbeat-*", "logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential JAVA/JNDI Exploitation Attempt"
19references = [
20 "https://www.lunasec.io/docs/blog/log4j-zero-day/",
21 "https://github.com/christophetd/log4shell-vulnerable-app",
22 "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
23 "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
24 "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046",
25]
26risk_score = 73
27rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
28severity = "high"
29tags = [
30 "Domain: Endpoint",
31 "OS: Linux",
32 "OS: macOS",
33 "Use Case: Threat Detection",
34 "Tactic: Execution",
35 "Use Case: Vulnerability",
36 "Data Source: Elastic Defend",
37 "Resources: Investigation Guide",
38]
39type = "eql"
40
41query = '''
42sequence by host.id with maxspan=1m
43 [network where event.action == "connection_attempted" and
44 process.name : "java" and
45 /*
46 outbound connection attempt to
47 LDAP, RMI or DNS standard ports
48 by JAVA process
49 */
50 destination.port in (1389, 389, 1099, 53, 5353)] by process.pid
51 [process where event.type == "start" and
52
53 /* Suspicious JAVA child process */
54 process.parent.name : "java" and
55 process.name : ("sh",
56 "bash",
57 "dash",
58 "ksh",
59 "tcsh",
60 "zsh",
61 "curl",
62 "perl*",
63 "python*",
64 "ruby*",
65 "php*",
66 "wget")] by process.parent.pid
67'''
68note = """## Triage and analysis
69
70> **Disclaimer**:
71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
72
73### Investigating Potential JAVA/JNDI Exploitation Attempt
74
75Java Naming and Directory Interface (JNDI) is a Java API that provides naming and directory functionality, allowing Java applications to discover and look up data and resources via a directory service. Adversaries exploit JNDI by injecting malicious payloads that trigger outbound connections to LDAP, RMI, or DNS services, potentially leading to remote code execution. The detection rule identifies such exploitation attempts by monitoring Java processes making suspicious outbound connections followed by the execution of potentially harmful child processes, such as shell scripts or scripting languages, indicating a possible compromise.
76
77### Possible investigation steps
78
79- Review the network logs to confirm the outbound connection attempt by the Java process to the specified ports (1389, 389, 1099, 53, 5353) and identify the destination IP addresses to determine if they are known malicious or suspicious entities.
80- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python).
81- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed.
82- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt.
83- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on directories commonly used by Java applications.
84
85### False positive analysis
86
87- Development and testing environments may trigger false positives when developers use Java applications to test connections to LDAP, RMI, or DNS services. To mitigate this, exclude known development servers or IP ranges from the detection rule.
88- Automated scripts or maintenance tasks that involve Java applications making legitimate outbound connections to the specified ports can be mistaken for exploitation attempts. Identify and whitelist these scripts or tasks by their process names or hashes.
89- Legitimate Java-based applications that require frequent updates or data retrieval from external services might generate similar network patterns. Monitor and document these applications, then create exceptions for their specific network behaviors.
90- Security tools or monitoring solutions that use Java for network scanning or analysis might inadvertently match the rule's criteria. Ensure these tools are recognized and excluded by their process identifiers or network activity profiles.
91
92### Response and remediation
93
94- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement.
95- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports.
96- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages.
97- Restore the affected system from a known good backup if unauthorized changes or malware are detected.
98- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities.
99- Implement network-level controls to block outbound connections to suspicious or unauthorized LDAP, RMI, or DNS services from Java processes.
100- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1059"
107name = "Command and Scripting Interpreter"
108reference = "https://attack.mitre.org/techniques/T1059/"
109[[rule.threat.technique.subtechnique]]
110id = "T1059.007"
111name = "JavaScript"
112reference = "https://attack.mitre.org/techniques/T1059/007/"
113
114
115[[rule.threat.technique]]
116id = "T1203"
117name = "Exploitation for Client Execution"
118reference = "https://attack.mitre.org/techniques/T1203/"
119
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential JAVA/JNDI Exploitation Attempt
Java Naming and Directory Interface (JNDI) is a Java API that provides naming and directory functionality, allowing Java applications to discover and look up data and resources via a directory service. Adversaries exploit JNDI by injecting malicious payloads that trigger outbound connections to LDAP, RMI, or DNS services, potentially leading to remote code execution. The detection rule identifies such exploitation attempts by monitoring Java processes making suspicious outbound connections followed by the execution of potentially harmful child processes, such as shell scripts or scripting languages, indicating a possible compromise.
Possible investigation steps
- Review the network logs to confirm the outbound connection attempt by the Java process to the specified ports (1389, 389, 1099, 53, 5353) and identify the destination IP addresses to determine if they are known malicious or suspicious entities.
- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python).
- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed.
- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt.
- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on directories commonly used by Java applications.
False positive analysis
- Development and testing environments may trigger false positives when developers use Java applications to test connections to LDAP, RMI, or DNS services. To mitigate this, exclude known development servers or IP ranges from the detection rule.
- Automated scripts or maintenance tasks that involve Java applications making legitimate outbound connections to the specified ports can be mistaken for exploitation attempts. Identify and whitelist these scripts or tasks by their process names or hashes.
- Legitimate Java-based applications that require frequent updates or data retrieval from external services might generate similar network patterns. Monitor and document these applications, then create exceptions for their specific network behaviors.
- Security tools or monitoring solutions that use Java for network scanning or analysis might inadvertently match the rule's criteria. Ensure these tools are recognized and excluded by their process identifiers or network activity profiles.
Response and remediation
- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement.
- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports.
- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages.
- Restore the affected system from a known good backup if unauthorized changes or malware are detected.
- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities.
- Implement network-level controls to block outbound connections to suspicious or unauthorized LDAP, RMI, or DNS services from Java processes.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.
References
Related rules
- Deprecated - Suspicious JAVA Child Process
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Cupsd or Foomatic-rip Shell Execution
- EggShell Backdoor Execution
- File Creation by Cups or Foomatic-rip Child