Potential JNDI Injection Exploitation In JVM Based Application

calendar Jan 1, 2024 · attack.initial_access attack.t1190  ·
Share on: linkedin copy

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

Sigma rule (View on GitHub)

 1title: Potential JNDI Injection Exploitation In JVM Based Application
 2id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
 3status: test
 4description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
 5references:
 6    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
 7    - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
 8author: Moti Harmats
 9date: 2023/02/11
10tags:
11    - attack.initial_access
12    - attack.t1190
13logsource:
14    category: application
15    product: jvm
16    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
17detection:
18    keywords:
19        - 'com.sun.jndi.ldap.'
20        - 'org.apache.logging.log4j.core.net.JndiManager'
21    condition: keywords
22falsepositives:
23    - Application bugs
24level: high

References

  • Threat and Vulnerability Hunting with Application Server Error Logs

    IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c


    Read More

  • Analysing and Reproducing PoC for Log4j 2.15.0

    Home » Technical Research » Analysing and Reproducing PoC for Log4j 2.15.0 Very shortly after the release of the patch for CVE-2021-44228, bundled by Apache as log4j 2.15.0, researchers already fou...


    Read More

Related rules

to-top