Techniques
Sample rules
Exploit Public Facing Application via Apache Commons Text
- source: splunk
- technicques:
- T1505.003
- T1505
- T1190
- T1133
Description
The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent
| `drop_dm_object_name("Web")`
| eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0)
| eval lookup = if(like(lower(uri_query), "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0)
| eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), "%xml%") OR like(lower(uri_query), "%base%"),1,0)
| addtotals fieldname=Score utf lookup other_lookups
| fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where Score >= 3
| `exploit_public_facing_application_via_apache_commons_text_filter`