Name:Exploit Public Facing Application via Apache Commons Text id:19a481e0-c97c-4d14-b1db-75a708eb592e version:4 date:2024-09-30 author:Michael Haag, Splunk status:production type:Anomaly Description:The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network. Data_source:
-Nginx Access
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name("Web")` | eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0) | eval lookup = if(like(lower(uri_query), "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0) | eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), "%xml%") OR like(lower(uri_query), "%base%"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 3 | `exploit_public_facing_application_via_apache_commons_text_filter`
how_to_implement:To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement. known_false_positives:False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct notable) if removal of other_lookups occur and Score is raised to 2 (down from 4). References: -https://sysdig.com/blog/cve-2022-42889-text4shell/ -https://nvd.nist.gov/vuln/detail/CVE-2022-42889 -https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om -https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/ -https://github.com/kljunowsky/CVE-2022-42889-text4shell -https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Text4Shell CVE-2022-42889' asset_type:Web Server confidence:70 cve: - 'CVE-2022-42889' impact:70 message:A URL was requested related to Text4Shell on $dest$ by $src$. mitre_attack_id: - 'T1505.003' - 'T1505' - 'T1190' - 'T1133' observable: name:'dest' type:'IP Address' - role: - 'Victim' name:'src' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Web.http_method' - 'Web.src' - 'Web.dest' - 'Web.http_user_agent' - 'Web.status' - 'Web.uri_query' - 'Web.uri_path' risk_score:49 security_domain:network
