Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

JNDIExploit Pattern

Detects exploitation attempt using the JNDI-Exploit-Kit

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Sun Dec 12Updated Sun Dec 25412d55bc-7737-4d25-9542-5b396867ce55web
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic1 selector
detection:
    keywords:
        - '/Basic/Command/Base64/'
        - '/Basic/ReverseShell/'
        - '/Basic/TomcatMemshell'
        - '/Basic/JettyMemshell'
        - '/Basic/WeblogicMemshell'
        - '/Basic/JBossMemshell'
        - '/Basic/WebsphereMemshell'
        - '/Basic/SpringMemshell'
        - '/Deserialization/URLDNS/'
        - '/Deserialization/CommonsCollections1/Dnslog/'
        - '/Deserialization/CommonsCollections2/Command/Base64/'
        - '/Deserialization/CommonsBeanutils1/ReverseShell/'
        - '/Deserialization/Jre8u20/TomcatMemshell'
        - '/TomcatBypass/Dnslog/'
        - '/TomcatBypass/Command/'
        - '/TomcatBypass/ReverseShell/'
        - '/TomcatBypass/TomcatMemshell'
        - '/TomcatBypass/SpringMemshell'
        - '/GroovyBypass/Command/'
        - '/WebsphereBypass/Upload/'
    condition: keywords
False Positives

Legitimate apps the use these paths

References
1
Resolving title…
github.com
2
Resolving title…
web.archive.org
MITRE ATT&CK
Rule Metadata
Rule ID
412d55bc-7737-4d25-9542-5b396867ce55
Status
test
Level
high
Type
Detection
Created
Sun Dec 12
Modified
Sun Dec 25
Author
Florian Roth (Nextron Systems)
Path
rules/web/webserver_generic/web_jndi_exploit.yml
Raw Tags
attack.initial-accessattack.t1190
View on GitHub