Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Sigma rule (View on GitHub)
1title: Potential JNDI Injection Exploitation In JVM Based Application
2id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
3status: test
4description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
5references:
6 - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
7 - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
8author: Moti Harmats
9date: 2023-02-11
10tags:
11 - attack.initial-access
12 - attack.t1190
13logsource:
14 category: application
15 product: jvm
16 definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
17detection:
18 keywords:
19 - 'com.sun.jndi.ldap.'
20 - 'org.apache.logging.log4j.core.net.JndiManager'
21 condition: keywords
22falsepositives:
23 - Application bugs
24level: high
References
-
IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c
Read More -
Home » Technical Research » Analysing and Reproducing PoC for Log4j 2.15.0 Very shortly after the release of the patch for CVE-2021-44228, bundled by Apache as log4j 2.15.0, researchers already fou...
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations