it's possible for legitimate http requests to be made to urls containing the suspicious paths.

t1082
t1133
web server
splunk

Techniques

T1082
T1133

Sample rules

Detect attackers scanning for vulnerable JBoss servers

source: splunk
technicques:
- T1082
- T1133

Description

This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*") by Web.http_method, Web.url, Web.src, Web.dest 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`