Detection rules › Splunk
Suspicious Java Classes
The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's stream_http data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
Rule body splunk
name: Suspicious Java Classes
id: 6ed33786-5e87-4f55-b62c-cb5f1168b831
version: 9
creation_date: '2019-10-16'
modification_date: '2026-05-13'
author: Jose Hernandez, Splunk
status: experimental
type: Anomaly
description: |-
The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts.
It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source.
This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution.
If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.
data_source: []
search: |-
`stream_http`
http_method=POST
http_content_length>1
| regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)"
| rename src_ip as src
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(url) as uri
values(status) as status
values(http_user_agent) as http_user_agent
BY src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_java_classes_filter`
how_to_implement: |-
In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers.
This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.
known_false_positives: |-
No false positives have been identified at this time.
references: []
intermediate_findings:
entities:
- field: src
type: system
score: 20
message: Suspicious Java Classes in HTTP requests involving $src$ and $dest$
- field: dest
type: system
score: 20
message: Suspicious Java Classes in HTTP requests involving $src$ and $dest$
analytic_story:
- Apache Struts Vulnerability
asset_type: Endpoint
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: application
security_domain: threat
Stages and Predicates
Stage 1: search
`stream_http`
http_method=POST
http_content_length>1
Stage 2: regex
| regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)"
Stage 3: rename
| rename src_ip as src
Stage 4: stats
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(url) as uri
values(status) as status
values(http_user_agent) as http_user_agent
BY src dest
Stage 5: search
| `security_content_ctime(firstTime)`
Stage 6: search
| `security_content_ctime(lastTime)`
Stage 7: search
| `suspicious_java_classes_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
form_data | regex_match |
|
http_content_length | gt |
|
http_method | eq |
|
sourcetype | eq |
|