ID | Technique | Tactic |
---|---|---|
T1190 | Exploit Public-Facing Application | Initial Access |
T1133 | External Remote Services | Initial Access |
Detection: Java Writing JSP File
Description
The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.
Search
1
2| tstats prestats=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("java","java.exe", "javaw.exe") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
3| `drop_dm_object_name(Processes)`
4| tstats prestats=t append=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.jsp*" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
5| `drop_dm_object_name(Filesystem)`
6| table action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product file_access_time file_create_time file_hash file_modify_time file_name file_path file_acl file_size firstTime lastTime
7| stats values(action) as action values(dest) as dest values(original_file_name) as original_file_name values(parent_process) as parent_process values(parent_process_exec) as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id) as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path) as parent_process_path values(process) as process values(process_exec) as process_exec values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level) as process_integrity_level values(process_name) as process_name values(process_path) as process_path values(user) as user values(user_id) as user_id values(vendor_product) as vendor_product values(file_access_time) as file_access_time values(file_create_time) as file_create_time values(file_hash) as file_hash values(file_modify_time) as file_modify_time values(file_name) as file_name values(file_path) as file_path values(file_acl) as file_acl values(file_size) as file_size by process_guid
8| where isnotnull(process) AND isnotnull(file_name)
9| `java_writing_jsp_file_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Sysmon for Linux EventID 1 | 'sysmon:linux' |
'Syslog:Linux-Sysmon/Operational' |
|
Sysmon for Linux EventID 11 | 'sysmon:linux' |
'Syslog:Linux-Sysmon/Operational' |
Macros Used
Name | Value |
---|---|
security_content_summariesonly | summariesonly= summariesonly_config allow_old_summaries= oldsummaries_config fillnull_value= fillnull_config`` |
java_writing_jsp_file_filter | search * |
java_writing_jsp_file_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint
datamodel in the Processes
and Filesystem
node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
Known False Positives
False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.
Risk Object | Risk Object Type | Risk Score | Threat Objects |
---|---|---|---|
dest | system | 42 | process_name |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | Syslog:Linux-Sysmon/Operational |
sysmon:linux |
Integration | ✅ Passing | Dataset | Syslog:Linux-Sysmon/Operational |
sysmon:linux |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 7