Java Payload Strings
Detects possible Java payloads in web access logs
Sigma rule (View on GitHub)
1title: Java Payload Strings
2id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
3status: test
4description: Detects possible Java payloads in web access logs
5references:
6 - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
7 - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
8 - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
9 - https://twitter.com/httpvoid0x2f/status/1532924261035384832
10 - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
11author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
12date: 2022-06-04
13modified: 2023-01-19
14tags:
15 - cve.2022-26134
16 - cve.2021-26084
17 - attack.initial-access
18 - attack.t1190
19logsource:
20 category: webserver
21detection:
22 keywords:
23 - '%24%7B%28%23a%3D%40'
24 - '${(#a=@'
25 - '%24%7B%40java'
26 - '${@java'
27 - 'u0022java'
28 - '%2F%24%7B%23'
29 - '/${#'
30 - 'new+java.'
31 - 'getRuntime().exec('
32 - 'getRuntime%28%29.exec%28'
33 condition: keywords
34falsepositives:
35 - Legitimate apps
36level: high
References
-
On June 2, 2022, Atlassian published an advisory for CVE-2022-26134, a critical unauthenticated RCE vulnerability in Confluence Serve and Data Center.
Read More -
On August 25, 2021, Atlassian published details on a critical remote code execution vulnerability in Confluence Server and Confluence Data Center.
Read More -
-
Related rules
- Atlassian Confluence CVE-2022-26134
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Potential OGNL Injection Exploitation In JVM Based Application
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation