Techniques
Sample rules
Osquery pack - ColdRoot detection
- source: splunk
- technicques:
Description
This search looks for ColdRoot events from the osx-attacks osquery pack.
Detection logic
| from datamodel Alerts.Alerts
| search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files)
| rename columns.path as path
| bucket _time span=30s
| stats count(path) by _time, host, user, path
| `osquery_pack___coldroot_detection_filter`
Suspicious Java Classes
- source: splunk
- technicques:
Description
The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk’s stream_http data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.
Detection logic
`stream_http` http_method=POST http_content_length>1
| regex form_data="(?i)java\.lang\.(?:runtime
|processbuilder)"
| rename src_ip as src
| stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_java_classes_filter`