Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Sigma rule (View on GitHub)
1title: Apache Spark Shell Command Injection - ProcessCreation
2id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
3status: test
4description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
5references:
6 - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
7 - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
8 - https://github.com/apache/spark/pull/36315/files
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-07-20
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - cve.2022-33891
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 ParentImage|endswith: '\bash'
21 CommandLine|contains:
22 - 'id -Gn `'
23 - "id -Gn '"
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
Related rules
- Apache Spark Shell Command Injection - Weblogs
- ADSelfService Exploitation
- Apache Threading Error
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API