⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious requests have a long URL length, as the payload is embedded in the URL.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2017-09-23
  • Author: Bhavin Patel, Splunk
  • ID: c8bff7a4-11ea-4416-a27d-c5bca472913d

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method="GET" OR Web.http_method="HEAD") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest 
| search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| table src, dest_ip, http_method, url, firstTime, lastTime 
| `detect_malicious_requests_to_exploit_jboss_servers_filter`

Associated Analytic Story

How To Implement

You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model

Required field

  • _time
  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest

Kill Chain Phase

  • Delivery

Known False Positives

No known false positives for this detection.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1