Techniques
Sample rules
Potential Local File Read Vulnerability In JVM Based Application
- source: sigma
- technicques:
- t1190
Description
Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it’s a red flag.
Detection logic
condition: keywords_local_file_read
keywords_local_file_read:
'|all':
- FileNotFoundException
- /../../..
Potential OGNL Injection Exploitation In JVM Based Application
- source: sigma
- technicques:
- t1190
Description
Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE’s such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Detection logic
condition: keywords
keywords:
- org.apache.commons.ognl.OgnlException
- ExpressionSyntaxException
Process Execution Error In JVM Based Application
- source: sigma
- technicques:
- t1190
Description
Detects process execution related exceptions in JVM based apps, often relates to RCE
Detection logic
condition: keywords
keywords:
- Cannot run program
- java.lang.ProcessImpl
- java.lang.ProcessBuilder
Potential JNDI Injection Exploitation In JVM Based Application
- source: sigma
- technicques:
- t1190
Description
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Detection logic
condition: keywords
keywords:
- com.sun.jndi.ldap.
- org.apache.logging.log4j.core.net.JndiManager
Ruby on Rails Framework Exceptions
- source: sigma
- technicques:
- t1190
Description
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Detection logic
condition: keywords
keywords:
- ActionController::InvalidAuthenticityToken
- ActionController::InvalidCrossOriginRequest
- ActionController::MethodNotAllowed
- ActionController::BadRequest
- ActionController::ParameterMissing
Potential Server Side Template Injection In Velocity
- source: sigma
- technicques:
- t1190
Description
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
Detection logic
condition: keywords
keywords:
- ParseErrorException
- VelocityException
- TemplateInitException
Python SQL Exceptions
- source: sigma
- technicques:
- t1190
Description
Generic rule for SQL exceptions in Python according to PEP 249
Detection logic
condition: keywords
keywords:
- DataError
- IntegrityError
- ProgrammingError
- OperationalError
Django Framework Exceptions
- source: sigma
- technicques:
- t1190
Description
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
Detection logic
condition: keywords
keywords:
- SuspiciousOperation
- DisallowedHost
- DisallowedModelAdminLookup
- DisallowedModelAdminToField
- DisallowedRedirect
- InvalidSessionKey
- RequestDataTooBig
- SuspiciousFileOperation
- SuspiciousMultipartForm
- SuspiciousSession
- TooManyFieldsSent
- PermissionDenied
Spring Framework Exceptions
- source: sigma
- technicques:
- t1190
Description
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
Detection logic
condition: keywords
keywords:
- AccessDeniedException
- CsrfException
- InvalidCsrfTokenException
- MissingCsrfTokenException
- CookieTheftException
- InvalidCookieException
- RequestRejectedException
Potential SpEL Injection In Spring Framework
- source: sigma
- technicques:
- t1190
Description
Detects potential SpEL Injection exploitation, which may lead to RCE.
Detection logic
condition: keywords
keywords:
- org.springframework.expression.ExpressionException