Emerging Threathightest

Apache Spark Shell Command Injection - ProcessCreation

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Wed Jul 20c8a5f584-cdc8-42cc-8cce-0398e4265de32022

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\bash'
        CommandLine|contains:
            - 'id -Gn `'
            - "id -Gn '"
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2022-33891detection.emerging-threats

Rule Metadata

Rule ID

c8a5f584-cdc8-42cc-8cce-0398e4265de3

Status

test

Level

high

Type

Emerging Threat

Created

Wed Jul 20

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml

Raw Tags

attack.initial-accessattack.t1190cve.2022-33891detection.emerging-threats

View on GitHub