Detection rules › Splunk
WebLogic CVE-2017-10271 (Sysmon)
A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host and in this case the session is created using the vulnerability of Weblogic app - wls-wsat Component Deserialization
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '5454.5612'
title: WebLogic CVE-2017-10271
description: 'A reverse shell is a shell session established on a connection that
is initiated from a remote machine, not from the local host and in this case the
session is created using the vulnerability of Weblogic app - wls-wsat Component
Deserialization - Threat Actor Association: APT29/Nobelium/Cozy Bear -- #TrendingThreat
#Russia #Ukraine'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` TERM(powershell) TERM(-w) TERM(hidden)
TERM(-nop) TERM(-c) TERM(function) TERM(RSC) AND "system.net.sockets.tcpclient"
AND "cmd.exe" AND "UseShellExecute" AND EventCode=1 AND "java.exe" | rex field=process
"\$a\=\''(?<src_ip>(?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") | rex field=process
"\$p\=\''(?<dest_port>(?i)\d{1,5}") | table _time, host, user, process, parent_process_name,
parent_process_path, src_ip, dest_port, signature_id | bin span=1s | stats values(*)
as * by _time, host | lookup dnslookup clientip as src OUTPUT clienthost as src_dns
| iplocation prefix="src_" src| rename src_Country as src_country '
techniques:
- initial-access:exploit public-facing application
- execution:command and scripting interpreter:powershell
technique_id:
- T1190
- T1059.001
data_category:
- Windows Sysmon
references: null
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` TERM(powershell) TERM(-w) TERM(hidden) TERM(-nop) TERM(-c) TERM(function) TERM(RSC) AND "system.net.sockets.tcpclient" AND "cmd.exe" AND "UseShellExecute" AND EventCode=1 AND "java.exe"
Stage 2: eval
| rex field=process "\$a\=\'(?<src_ip>(?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")
Stage 3: eval
| rex field=process "\$p\=\'(?<dest_port>(?i)\d{1,5}")
Stage 4: table
| table _time, host, user, process, parent_process_name, parent_process_path, src_ip, dest_port, signature_id
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host
Stage 7: lookup
| lookup dnslookup clientip as src OUTPUT clienthost as src_dns
Stage 8: search
| iplocation prefix="src_" src
Stage 9: rename
| rename src_Country as src_country
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | powershell |
| 1 | "-w" |
| 1 | TERM |
| 1 | hidden |
| 1 | "-nop" |
| 1 | "-c" |
| 1 | TERM |
| 1 | function |
| 1 | TERM |
| 1 | RSC |
| 1 | "system.net.sockets.tcpclient" |
| 1 | "cmd.exe" |
| 1 | "UseShellExecute" |
| 1 | "java.exe" |
| 8 | iplocation |
| 8 | src |