Potential JAVA/JNDI Exploitation Attempt

calendar May 22, 2024 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Execution Use Case: Vulnerability Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/12/10"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child
11processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection
12vulnerability.
13"""
14from = "now-9m"
15index = ["auditbeat-*", "logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential JAVA/JNDI Exploitation Attempt"
19references = [
20    "https://www.lunasec.io/docs/blog/log4j-zero-day/",
21    "https://github.com/christophetd/log4shell-vulnerable-app",
22    "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
23    "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
24    "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046",
25]
26risk_score = 73
27rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
28severity = "high"
29tags = [
30    "Domain: Endpoint",
31    "OS: Linux",
32    "OS: macOS",
33    "Use Case: Threat Detection",
34    "Tactic: Execution",
35    "Use Case: Vulnerability",
36    "Data Source: Elastic Defend",
37]
38type = "eql"
39
40query = '''
41sequence by host.id with maxspan=1m
42 [network where event.action == "connection_attempted" and
43  process.name : "java" and
44  /*
45     outbound connection attempt to
46     LDAP, RMI or DNS standard ports
47     by JAVA process
48   */
49  destination.port in (1389, 389, 1099, 53, 5353)] by process.pid
50 [process where event.type == "start" and
51
52  /* Suspicious JAVA child process */
53  process.parent.name : "java" and
54   process.name : ("sh",
55                   "bash",
56                   "dash",
57                   "ksh",
58                   "tcsh",
59                   "zsh",
60                   "curl",
61                   "perl*",
62                   "python*",
63                   "ruby*",
64                   "php*",
65                   "wget")] by process.parent.pid
66'''
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1059"
73name = "Command and Scripting Interpreter"
74reference = "https://attack.mitre.org/techniques/T1059/"
75[[rule.threat.technique.subtechnique]]
76id = "T1059.007"
77name = "JavaScript"
78reference = "https://attack.mitre.org/techniques/T1059/007/"
79
80
81[[rule.threat.technique]]
82id = "T1203"
83name = "Exploitation for Client Execution"
84reference = "https://attack.mitre.org/techniques/T1203/"
85
86
87[rule.threat.tactic]
88id = "TA0002"
89name = "Execution"
90reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top