Techniques
Sample rules
Web or Application Server Spawning a Shell
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.parent_process_name IN ("java", "tomcat*", "httpd", "lighttpd", "apache2", "nginx", "node", "caddy")
`linux_shells`
)
OR
(
Processes.parent_process_name IN ("httpd.exe", "nginx.exe", "php*.exe", "php-cgi.exe", "tomcat*.exe", "caddy.exe", "UMWorkerProcess.exe", "w3wp.exe", "ws_TomcatService.exe", "node.exe", "java.exe")
`windows_shells`
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `web_or_application_server_spawning_a_shell_filter`