CVE-2022-42889 Configuration

« CVE-2022-42889 »
v0.3 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:apachespoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect CVE-2022-42889 exploits (Text4Shell)

Installation

cscli scenarios install crowdsecurity/CVE-2022-42889

Description

Detects attempts of exploit of CVE-2022-42889 (Text4Shell) RCE vulnerability.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889

YAML Configuration

1type: trigger
2#debug: true
3name: crowdsecurity/CVE-2022-42889
4description: "Detect CVE-2022-42889 exploits (Text4Shell)"
5filter: |
6  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${script:javascript:java.lang.Runtime.getRuntime().exec(')
7  or
8  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${script:js:java.lang.Runtime.getRuntime().exec(')
9  or
10  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${url:UTF-8:') 
11  or
12  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${dns:address|')
13blackhole: 1m
14groupby: "evt.Meta.source_ip"
15labels:
16  type: exploit
17  remediation: true
18  classification:
19    - attack.T1595
20    - attack.T1190
21    - cve.CVE-2022-42889
22  spoofable: 0
23  confidence: 3
24  behavior: "http:exploit"
25  label: "Text4Shell CVE-2022-42889"
26  service: apache
27

Hub configuration

« CVE-2022-42889 »v0.3 by crowdsecurityAttack scenarioremediation:truetype:exploit service:apacheCVE-2022-42889spoofable:0MITRE:T1595MITRE:T1190confidence:3

« CVE-2022-42889 »
v0.3 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:apachespoofable:0MITRE:T1595MITRE:T1190confidence:3