the jsp file names are static names used in current proof of concept code. =

t1133
t1190
t1505
t1505.003
web server
splunk

Techniques

T1133
T1190
T1505
T1505.003

Sample rules

Spring4Shell Payload URL Request

source: splunk
technicques:
- T1505.003
- T1505
- T1190
- T1133

Description

The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.

Detection logic


| tstats count from datamodel=Web where Web.http_method IN ("GET") Web.url IN ("*tomcatwar.jsp*","*poc.jsp*","*shell.jsp*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `spring4shell_payload_url_request_filter`