LoFP / the jsp file names are static names used in current proof of concept code. =

Techniques

• T1133
• T1190
• T1505
• T1505.003

Sample rules

Spring4Shell Payload URL Request

• source: splunk
• technicques:
  • T1505.003
  • T1505
  • T1190
  • T1133

Description

The following analytic detects attempts to exploit the Spring4Shell vulnerability (CVE-2022-22963) by identifying specific URL patterns associated with web shell payloads. It leverages web traffic data, focusing on HTTP GET requests with URLs containing indicators like “tomcatwar.jsp,” “poc.jsp,” and “shell.jsp.” This activity is significant as it suggests an attacker is trying to deploy a web shell, which can lead to remote code execution. If confirmed malicious, this could allow the attacker to gain persistent access, execute arbitrary commands, and potentially escalate privileges within the compromised environment.

Detection logic

| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `spring4shell_payload_url_request_filter`