Sigma rules for CVE-1999-0440
6 rules · scoped to cve · back to CVE-1999-0440
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Java Children Processes
id: d292e0af-9a18-420c-9525-ec0ac3936892
status: test
description: Detects java process spawning suspicious children
references:
- https://www.tecmint.com/different-types-of-linux-shells/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
CommandLine|contains:
- '/bin/sh'
- 'bash'
- 'dash'
- 'ksh'
- 'zsh'
- 'csh'
- 'fish'
- 'curl'
- 'wget'
- 'python'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Processes Spawned by Java.EXE
id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
related:
- id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
type: similar
status: test
description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Florian Roth
date: 2021-12-17
modified: 2024-01-18
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\query.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
condition: selection
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: high
title: Suspicious Shells Spawn by Java Utility Keytool
id: 90fb5e62-ca1f-4e22-b42e-cc521874c938
status: test
description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
references:
- https://redcanary.com/blog/intelligence-insights-december-2021
- https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
author: Andreas Hunkeler (@Karneades)
date: 2021-12-22
modified: 2023-01-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\keytool.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
- '\systeminfo.exe'
- '\reg.exe'
- '\query.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
- https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
- cve.2022-26134
- cve.2021-26084
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '%24%7B%28%23a%3D%40'
- '${(#a=@'
- '%24%7B%40java'
- '${@java'
- 'u0022java'
- '%2F%24%7B%23'
- '/${#'
- 'new+java.'
- 'getRuntime().exec('
- 'getRuntime%28%29.exec%28'
condition: keywords
falsepositives:
- Legitimate apps
level: high
title: Java Running with Remote Debugging
id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
status: test
description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
references:
- https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-02-01
tags:
- attack.t1203
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_jdwp_transport:
CommandLine|contains: 'transport=dt_socket,address='
selection_old_jvm_version:
CommandLine|contains:
- 'jre1.'
- 'jdk1.'
exclusion:
CommandLine|contains:
- 'address=127.0.0.1'
- 'address=localhost'
condition: all of selection_* and not exclusion
falsepositives:
- Unknown
level: medium
title: Shell Process Spawned by Java.EXE
id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
related:
- id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
type: similar
status: test
description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
date: 2021-12-17
modified: 2024-01-18
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_main_build:
ParentImage|contains: 'build' # excluding CI build agents
CommandLine|contains: 'build' # excluding CI build agents
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: medium