JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
Sigma rule (View on GitHub)
1title: JNDIExploit Pattern
2id: 412d55bc-7737-4d25-9542-5b396867ce55
3status: test
4description: Detects exploitation attempt using the JNDI-Exploit-Kit
5references:
6 - https://github.com/pimps/JNDI-Exploit-Kit
7 - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
8author: Florian Roth (Nextron Systems)
9date: 2021-12-12
10modified: 2022-12-25
11tags:
12 - attack.initial-access
13 - attack.t1190
14logsource:
15 category: webserver
16detection:
17 keywords:
18 - '/Basic/Command/Base64/'
19 - '/Basic/ReverseShell/'
20 - '/Basic/TomcatMemshell'
21 - '/Basic/JettyMemshell'
22 - '/Basic/WeblogicMemshell'
23 - '/Basic/JBossMemshell'
24 - '/Basic/WebsphereMemshell'
25 - '/Basic/SpringMemshell'
26 - '/Deserialization/URLDNS/'
27 - '/Deserialization/CommonsCollections1/Dnslog/'
28 - '/Deserialization/CommonsCollections2/Command/Base64/'
29 - '/Deserialization/CommonsBeanutils1/ReverseShell/'
30 - '/Deserialization/Jre8u20/TomcatMemshell'
31 - '/TomcatBypass/Dnslog/'
32 - '/TomcatBypass/Command/'
33 - '/TomcatBypass/ReverseShell/'
34 - '/TomcatBypass/TomcatMemshell'
35 - '/TomcatBypass/SpringMemshell'
36 - '/GroovyBypass/Command/'
37 - '/WebsphereBypass/Upload/'
38 condition: keywords
39falsepositives:
40 - Legitimate apps the use these paths
41level: high
References
-
JNDI-Exploitation-Kit(A modified version of the great JNDI-Injection-Exploit created by @welk1n. This tool can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps v...
Read More -
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations