CVE-2020-9484 Exploitation Attempt

Aug 21, 2020 ·

Detecting the attempt of RCE via deserialization

Sigma rule (View on GitHub)

 1title: CVE-2020-9484 Exploitation Attempt
 2id: c70bf726-e96c-44f9-a239-3ba9745730f4
 3status: experimental
 4description: Detecting the attempt of RCE via deserialization
 5references:
 6    - https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/
 7author: Loginsoft Research Unit 
 8date: 2020/07/10
 9logsource:
10    product: Tomcat
11    category: webserver
12detection:
13    keywords:
14        - 'Invalid persistence file [/tomcat/sessions/../*.session] for session ID [../../*]'
15    condition: keywords
16falsepositives:
17  - Unknown
18level: critical```

References

https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/

Read More