security-content/detections/malicious_requests_to_exploit_jboss_servers.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
asset_type: Web Server
confidence: high
creation_date: '2016-10-04'
data_metadata:
  data_models:
    - Web
  data_source:
    - Network Communications
    - Web Server
  providing_technologies:
    - Splunk Stream
    - Palo Alto Firewall
    - Apache
    - Bro
description: This search is used to detect malicious HTTP requests crafted to exploit
  jmx-console in JBoss servers. The malicious requests have a long URL length, as
  the payload is embedded in the URL.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: src, dest_ip
        rule_description: A search for detecting malicious requests made to exploit
          jmx-console in JBoss servers. The bad requests have a long url length since
          it serves the payload via the url
        rule_title: Detected malicious requests to exploit JBoss servers
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 80
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as
        lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD")
        by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*"
        AND Web.url_length > 200 | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)`
        | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime'
      suppress:
        suppress_fields: dest,url,src
        suppress_period: 14400s
eli5: This search looks for HTTP requests for a URL that has been used to exploit
  JBoss servers.
entities:
  - dest
how_to_implement: You must ingest data from the web server or capture network data
  that contains web specific information with solutions such as Bro or Splunk Stream,
  and populating the Web data model
id: c8bff7a4-11ea-4416-a27d-c5bca472913d
investigations:
  - id: df7a7f50-30f2-4cde-8448-69d2d5f9b3c5
    name: Get Vulnerability Logs For Endpoint
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: No known false positives for this detection.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 12
    - CIS 4
    - CIS 18
  kill_chain_phases:
    - Delivery
  mitre_attack:
    - Defense Evasion
    - Exploitation of Vulnerability
  nist:
    - ID.RA
    - PR.PT
    - PR.IP
    - DE.AE
    - PR.MA
    - DE.CM
modification_date: '2017-09-23'
name: Detect malicious requests to exploit JBoss servers
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: network
spec_version: 2
type: splunk
version: '1.0'