spring4shell_cve-2022-22965 Configuration

« spring4shell_cve-2022-22965 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:springspoofable:0MITRE:T1190confidence:3

Detect cve-2022-22965 probing

Installation

cscli scenarios install crowdsecurity/spring4shell_cve-2022-22965

Description

Detect probing for cve-2022-22965 aka 'spring4shell'.

As usual, smart attackers might bypass the signature. The pattern itself is inspired by :

Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker
Randori
Zap Detection

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/spring4shell_cve-2022-22965
4description: "Detect cve-2022-22965 probing"
5filter: |
6  evt.Meta.log_type in ["http_access-log", "http_error-log"] and
7    (Upper(evt.Meta.http_path) contains 'CLASS.MODULE.CLASSLOADER.')
8groupby: "evt.Meta.source_ip"
9blackhole: 2m
10labels:
11  remediation: true
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1190
16    - cve.CVE-2022-22965
17  behavior: "http:exploit"
18  label: "Spring4shell CVE-2022-22965"
19  service: spring
20

Hub configuration

« spring4shell_cve-2022-22965 »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:springCVE-2022-22965spoofable:0MITRE:T1190confidence:3

« spring4shell_cve-2022-22965 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:springspoofable:0MITRE:T1190confidence:3