JexBoss Command Sequence

 1title: JexBoss Command Sequence
 2id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 3status: test
 4description: Detects suspicious command sequence that JexBoss
 5references:
 6    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
 7author: Florian Roth (Nextron Systems)
 8date: 2017-08-24
 9modified: 2022-07-07
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    product: linux
15detection:
16    selection1:
17        - 'bash -c /bin/bash'
18    selection2:
19        - '&/dev/tcp/'
20    condition: all of selection*
21falsepositives:
22    - Unknown
23level: high

References

• JexBoss – JBoss Verify and EXploitation Tool | CISA

  JexBoss JexBoss is a tool used to test and exploit vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. JexBoss is written in the Python programm...

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• BPFtrace Unsafe Option Usage
• Equation Group Indicators
• Interactive Bash Suspicious Children
• Linux Reverse Shell Indicator