Name:Suspicious Java Classes id:6ed33786-5e87-4f55-b62c-cb5f1168b831 version:3 date:2024-10-17 author:Jose Hernandez, Splunk status:experimental type:Anomaly Description:The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration. Data_source:
search:`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`
how_to_implement:In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro. known_false_positives:There are no known false positives. References: drilldown_searches:
: tags: analytic_story: - 'Apache Struts Vulnerability' asset_type:Endpoint confidence:50 impact:50 message:tbd observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'http_method' - 'http_content_length' - 'src_ip' - 'url' - 'status' - 'http_user_agent' - 'src' - 'dest' risk_score:25 security_domain:threat
