| ID | Technique | Tactic |
|---|---|---|
| T1082 | System Information Discovery | Discovery |
| T1133 | External Remote Services | Initial Access |
Detection: Detect attackers scanning for vulnerable JBoss servers
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
3 WHERE (
4 Web.http_method="GET"
5 OR
6 Web.http_method="HEAD"
7 )
8 AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*")
9 BY Web.http_method, Web.url, Web.src,
10 Web.dest
11
12| `drop_dm_object_name("Web")`
13
14| `security_content_ctime(firstTime)`
15
16| `security_content_ctime(lastTime)`
17
18| `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| detect_attackers_scanning_for_vulnerable_jboss_servers_filter | search * |
detect_attackers_scanning_for_vulnerable_jboss_servers_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
Delivery
DE.CM
CIS 13
APT18
APT19
APT28
APT29
APT3
APT32
APT37
APT38
APT41
APT42
Akira
Aquatic Panda
BlackByte
Blue Mockingbird
CURIUM
Chimera
Contagious Interview
Daggerfly
Darkhotel
Dragonfly
Ember Bear
FIN13
FIN5
FIN7
FIN8
GALLIUM
GOLD SOUTHFIELD
Gamaredon Group
HEXANE
Higaisa
Inception
Ke3chang
Kimsuky
LAPSUS$
Lazarus Group
Leviathan
Magic Hound
Malteiro
Medusa Group
MirrorFace
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
OilRig
Patchwork
Play
RedCurl
Rocke
Sandworm Team
Scattered Spider
Sea Turtle
SideCopy
Sidewinder
Sowbug
Stealth Falcon
Storm-0501
TA2541
TEMP.Veles
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
VOID MANTICORE
Velvet Ant
Volt Typhoon
Windigo
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.
Known False Positives
It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Potential Scanning for Vulnerable JBoss Servers - $dest$ | dest | system | 50 |
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | Not Applicable | N/A | N/A | N/A |
| Unit | ❌ Failing | N/A | N/A |
N/A |
| Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 8