Detectionhightest
Java Payload Strings
Detects possible Java payloads in web access logs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Harjot Singh, @cyb3rjy0tCreated Sat Jun 04Updated Thu Jan 19583aa0a2-30b1-4d62-8bf3-ab73689efe6cweb
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Detection Logic
Detection Logic1 selector
detection:
keywords:
- '%24%7B%28%23a%3D%40'
- '${(#a=@'
- '%24%7B%40java'
- '${@java'
- 'u0022java'
- '%2F%24%7B%23'
- '/${#'
- 'new+java.'
- 'getRuntime().exec('
- 'getRuntime%28%29.exec%28'
condition: keywordsFalse Positives
Legitimate apps
MITRE ATT&CK
Tactics
Other
cve.2022-26134cve.2021-26084
Rule Metadata
Rule ID
583aa0a2-30b1-4d62-8bf3-ab73689efe6c
Status
test
Level
high
Type
Detection
Created
Sat Jun 04
Modified
Thu Jan 19
Author
Path
rules/web/webserver_generic/web_java_payload_in_access_logs.yml
Raw Tags
cve.2022-26134cve.2021-26084attack.initial-accessattack.t1190