Techniques
Sample rules
Java Writing JSP File
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic identifies the process java writing a .jsp to disk. This is potentially indicative of a web shell being written to disk. Modify and tune the analytic based on data ingested. For instance, it may be worth running a broad query for jsp file writes first before performing a join.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN ("java","java.exe", "javaw.exe") by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid Processes.user
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.jsp*" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.user
| `drop_dm_object_name(Filesystem)`
| fields _time process_guid file_path file_name file_create_time user dest process_name]
| stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `java_writing_jsp_file_filter`