Potential JAVA/JNDI Exploitation Attempt

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Execution Use Case: Vulnerability Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/12/10"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child
13processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection
14vulnerability.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential JAVA/JNDI Exploitation Attempt"
21references = [
22    "https://www.lunasec.io/docs/blog/log4j-zero-day/",
23    "https://github.com/christophetd/log4shell-vulnerable-app",
24    "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
25    "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
26    "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046",
27]
28risk_score = 73
29rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
30severity = "high"
31tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
32type = "eql"
33
34query = '''
35sequence by host.id with maxspan=1m
36 [network where event.action == "connection_attempted" and
37  process.name : "java" and
38  /*
39     outbound connection attempt to
40     LDAP, RMI or DNS standard ports
41     by JAVA process
42   */
43  destination.port in (1389, 389, 1099, 53, 5353)] by process.pid
44 [process where event.type == "start" and
45
46  /* Suspicious JAVA child process */
47  process.parent.name : "java" and
48   process.name : ("sh",
49                   "bash",
50                   "dash",
51                   "ksh",
52                   "tcsh",
53                   "zsh",
54                   "curl",
55                   "perl*",
56                   "python*",
57                   "ruby*",
58                   "php*",
59                   "wget")] by process.parent.pid
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1059"
67name = "Command and Scripting Interpreter"
68reference = "https://attack.mitre.org/techniques/T1059/"
69[[rule.threat.technique.subtechnique]]
70id = "T1059.007"
71name = "JavaScript"
72reference = "https://attack.mitre.org/techniques/T1059/007/"
73
74
75[[rule.threat.technique]]
76id = "T1203"
77name = "Exploitation for Client Execution"
78reference = "https://attack.mitre.org/techniques/T1203/"
79
80
81[rule.threat.tactic]
82id = "TA0002"
83name = "Execution"
84reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top