Apache Spark Shell Command Injection - ProcessCreation

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Sigma rule (View on GitHub)

 1title: Apache Spark Shell Command Injection - ProcessCreation
 2id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
 3status: test
 4description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
 5references:
 6    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
 7    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
 8    - https://github.com/apache/spark/pull/36315/files
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-07-20
11tags:
12    - attack.initial-access
13    - attack.t1190
14    - cve.2022-33891
15logsource:
16    product: linux
17    category: process_creation
18detection:
19    selection:
20        ParentImage|endswith: '\bash'
21        CommandLine|contains:
22            - 'id -Gn `'
23            - "id -Gn '"
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

Related rules

to-top