Skip to content

west-wind/Spring4Shell-Detection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Spring4Shell-Detection with Splunk

Lazy SPL to detect CVE-2022-22965 - Spring4Shell & CVE-2022-22963 exploitation.

Find more awesome Threat Hunting SPL queries, including BPFDoor detection here

Detecting & Responding to Spring4Shell with Splunk | Medium

Read my write up here Detecting & Responding to Spring4Shell with Splunk | Medium

Detection for Spring4Shell

Splunk detection SPL for CVE-2022-22965 (Spring4Shell) webshell -- PoC Exploit

index=web_apps (sourcetype=nginx OR sourcetype=webapp_firewall) status=200
| rex field=url "(?<webShell>\/.*\.(jsp|class)\?.*=.*)" 
| rex field=uri "(?<webShell>\/.*\.(jsp|class)\?.*=.*)"
| where isnotnull(webShell) 
| eval Domain = mvappend(dest, domain), fullURL = mvappend(url, uri)
| table _time src_ip Domain status method webShell fullURL sourcetype

Splunk detection SPL for CVE-2022-22965 (Spring4Shell) PoC Exploit attempting to change Tomcat logging

index=web_apps (sourcetype=nginx OR sourcetype=webapp_firewall) (method=POST OR method=GET) url="*?class.module.classloader.resources.context.parent.pipeline.first.pattern=*"
| table _time src_ip dest_domain url headers user_agent status

Detection based on Linux audit logs (untested).

If you find suspicious files being created, correlate with type=CWD & check the 'cwd' path. Check if the path is your webapps' ROOT/ directory. Correlate with other above detection rules (nginx/web app firewall) to identify source IP.

index=linux_index sourcetype="linux:auditd" type=PATH name="*.jsp"
| table _time host type name

Detection for CVE-2022-22965 (Spring4Shell) PoC Exploit

index=web_apps (sourcetype=nginx OR sourcetype=webapp_firewall) status=200 (method=POST OR method=GET) (url=*.jsp* OR url=*.class*)
| table _time src_ip dest_domain url headers

Detection for CVE-2022-22963 (not Spring4Shell)

Detecting from Linux syslog (CVE-2022-22963, not Spring4Shell)

index=linux_index sourcetype=linux_messages_syslog 
| rex field=_raw "(?<execData>(?<=\.)getRuntime\(\)\.exec[^;]*)"
| where isnotnull(execData)
| table _time host execData

Detection for POC exploit (CVE-2022-22963, not Spring4Shell) -- PoC Exploit

index=web_apps (sourcetype=nginx OR sourcetype=webapp_firewall) (status=200 OR status=500) method=POST url="/functionRouter" // Better not to specify URL as anyone can change this
| rex field=headers "(?<execData>(?<=\.)getRuntime\(\)\.exec[^;]*)"
| table _time src_ip dest_domain execData url

Discussion Around Additional Detections

Please visit Discussions

Raise an Issue

Want to optimise the SPL queries? Please visit Issues

About

Lazy SPL to detect Spring4Shell exploitation

Topics

spring splunk incident-response spring4shell cve-2022-22963 cve-2022-22965

Resources

Readme

License

MIT license
Activity

Stars

12 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published