Name:Web or Application Server Spawning a Shell id:8fdb41ad-091c-4d7a-af1d-9123fe94b539 version:1 date:2025-10-07 author:Michael Haag, Nasreddine Bencherchali, Splunk status:production type:TTP Description:The following analytic detects instances where Java, or Tomcat
processes spawn a Linux shell, which may indicate exploitation attempts, such as
those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection
and Response (EDR) telemetry, focusing on process names and parent-child process
relationships. This activity is significant as it can signify a compromised Java
application, potentially leading to unauthorized shell access. If confirmed malicious,
attackers could execute arbitrary commands, escalate privileges, or maintain persistent
access, posing a severe threat to the environment.
Data_source:
-Sysmon for Linux EventID 1
-Sysmon EventID 1
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where
( Processes.parent_process_name IN ("java", "tomcat", "httpd", "lighttpd", "apache2", "nginx", "node", "caddy") `linux_shells` ) OR ( Processes.parent_process_name IN ("httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat*.exe", "caddy.exe", "UMWorkerProcess.exe", "w3wp.exe", "ws_TomcatService.exe", "node.exe", "java.exe") `windows_shells` )
how_to_implement:The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives:Filtering may be required on internal developer build systems or classify assets as web facing and restrict the analytic based on asset type.
References: -https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ -https://gist.github.com/olafhartong/916ebc673ba066537740164f7e7e1d72 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Destruction' - 'Spring4Shell CVE-2022-22965' - 'Hermetic Wiper' - 'Log4Shell CVE-2021-44228' asset_type:Endpoint mitre_attack_id: - 'T1190' - 'T1133' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
