forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjboss_vulnerability.yml
101 lines (87 loc) · 5.72 KB
/
jboss_vulnerability.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: JBoss Vulnerability
id: 1f5294cb-b85f-4c2d-9c58-ffcf248f52bd
version: 1
date: '2017-09-14'
author: Bhavin Patel, Splunk
description: In March of 2016, adversaries were seen using JexBoss--an open-source
utility used for testing and exploiting JBoss application servers. These searches
help detect evidence of these attacks, such as network connections to external resources
or web services spawning atypical child processes, among others.
narrative: 'This Analytic Story looks for probing and exploitation attempts targeting
JBoss application servers. While the vulnerabilities associated with this story
are rather dated, they were leveraged in a spring 2016 campaign in connection with
the Samsam ransomware variant. Incidents involving this ransomware are unique, in
that they begin with attacks against vulnerable services, rather than the phishing
or drive-by attacks more common with ransomware. In this case, vulnerable JBoss
applications appear to be the target of choice.\
It is helpful to understand how often a notable event generated by this story occurs,
as well as the commonalities between some of these events, both of which may provide
clues about whether this is a common occurrence of minimal concern or a rare event
that may require more extensive investigation. It may also help to understand whether
the issue is restricted to a single user/system or whether it is broader in scope.\
When looking at the target of the behavior uncovered by the event, you should note
the sensitivity of the user and or/system to help determine the potential impact.
It is also helpful to identify other recent events involving the target. This can
help tie different events together and give further situational awareness regarding
the target host.\
Various types of information for external systems should be reviewed and, potentially,
collected if the incident is, indeed, judged to be malicious. This data may be useful
for generating your own threat intelligence, so you can create future alerts.\
The following factors may assist you in determining whether the event is malicious:
\
1. Country of origin\
1. Responsible party\
1. Fully qualified domain names associated with the external IP address\
1. Registration of fully qualified domain names associated with external IP address
Determining whether it is a dynamic domain frequently visited by others and/or how
third parties categorize it can also help you qualify and understand the event and
possible motivation for the attack. In addition, there are various sources that
may provide reputation information on the IP address or domain name, which can assist
you in determining whether the event is malicious in nature. Finally, determining
whether there are other events associated with the IP address may help connect data
points or expose other historic events that might be brought back into scope.\
Gathering various data on the system of interest can sometimes help quickly determine
whether something suspicious is happening. Some of these items include determining
who else may have logged into the system recently, whether any unusual scheduled
tasks exist, whether the system is communicating on suspicious ports, whether there
are modifications to sensitive registry keys, and/or whether there are any known
vulnerabilities on the system. This information can often highlight other activity
commonly seen in attack scenarios or give more information about how the system
may have been targeted.\
hen a specific service or application is targeted, it is often helpful to know the
associated version, to help determine whether it is vulnerable to a specific exploit.\
If you suspect an attack targeting a web server, it is helpful to look at some of
the behavior of the web service to see if there is evidence that the service has
been compromised. Some indications of this might be network connections to external
resources, the web service spawning child processes that are not associated with
typical behavior, and whether the service wrote any files that might be malicious
in nature.\
If a suspicious file is found, we can review more information about it to help determine
if it is, in fact, malicious. Identifying the file type, any processes that opened
the file, the processes that may have created and/or modified the file, and how
many other systems potentially have this file can you determine whether the file
is malicious. Also, determining the file hash and checking it against reputation
sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious
in nature.\
Often, a simple inspection of a suspect process name and path can tell you if the
system has been compromised. For example, if svchost.exe is found running from a
location other than `C:\Windows\System32`, it is likely something malicious designed
to hide in plain sight when simply reviewing process names. \
It can also be helpful to examine various behaviors of and the parent of the process
of interest. For example, if it turns out the process of interest is malicious,
it would be good to see whether the parent process spawned other processes that
might also warrant further scrutiny. If a process is suspect, a review of the network
connections made around the time of the event and noting whether the process has
spawned any child processes could be helpful in determining whether it is malicious
or executing a malicious script.'
references:
- http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html
tags:
analytic_story: JBoss Vulnerability
category:
- Vulnerability
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection