Spring RCE post-exploitation activity attempted

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1505-server-software-component

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

This rule detects attempted post-exploitation activity of CVE-2022-22965 with an HTTP GET parameter.

Strategy

This rule looks for @http.url_details.path = <RANDOM_FILE_NAME>.jsp, @http.url_details.queryString.pwd = *, and @http.url_details.queryString.cmd = <RANDOM_CMD_EXECUTION>. If found, it indicates web shell activity observed with successful Spring RCE exploitation.

Triage and response

Check your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,

  • Refer to your company’s Incident Response process since this is detection post-exploitation activity.
  • Refer to the vendor’s advisory for remediation of this Remote Code Execution (RCE) vulnerability.

Changelog

  • 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.
  • 31 March 2022 - Rule added in response to CVE-2022-22965