JexBoss Command Sequence

 1title: JexBoss Command Sequence
 2id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 3status: test
 4description: Detects suspicious command sequence that JexBoss
 5references:
 6    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
 7author: Florian Roth (Nextron Systems)
 8date: 2017-08-24
 9modified: 2025-11-22
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    product: linux
15detection:
16    keywords:
17        '|all':
18            - 'bash -c /bin/bash'
19            - '&/dev/tcp/'
20    condition: keywords
21falsepositives:
22    - Unknown
23level: high

References

• JexBoss – JBoss Verify and EXploitation Tool | CISA

  JexBoss JexBoss is a tool used to test and exploit vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. JexBoss is written in the Python programm...

  
  Read More

Related rules

• Suspicious Download and Execute Pattern via Curl/Wget
• AWS EC2 Startup Shell Script Change
• BPFtrace Unsafe Option Usage
• Equation Group Indicators
• Interactive Bash Suspicious Children