security_content/detections/application/suspicious_java_classes.yml at d9960562b8d62a799aa719b0c5f679d5ff4b6c3c · splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Suspicious Java Classes
id: 6ed33786-5e87-4f55-b62c-cb5f1168b831
version: 5
date: '2025-05-02'
author: Jose Hernandez, Splunk
status: experimental
type: Anomaly
description: The following analytic identifies suspicious Java classes often used
  for remote command execution exploits in Java frameworks like Apache Struts. It
  detects this activity by analyzing HTTP POST requests with specific content patterns
  using Splunk's `stream_http` data source. This behavior is significant because it
  may indicate an attempt to exploit vulnerabilities in web applications, potentially
  leading to unauthorized remote code execution. If confirmed malicious, this activity
  could allow attackers to execute arbitrary commands on the server, leading to data
  breaches, system compromise, and further network infiltration.
data_source: []
search: '`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)"
  | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time)
  as lastTime, values(url) as uri, values(status) as status, values(http_user_agent)
  as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
  | `suspicious_java_classes_filter`'
how_to_implement: In order to properly run this search, Splunk needs to ingest data
  from your web-traffic appliances that serve or sit in the path of your Struts application
  servers. This can be accomplished by indexing data from a web proxy, or by using
  network traffic-analysis tools, such as Splunk Stream or Bro.
known_false_positives: There are no known false positives.
references: []
rba:
  message: Suspicious Java Classes in HTTP requests involving $src$ and $dest$
  risk_objects:
  - field: src
    type: system
    score: 25
  - field: dest
    type: system
    score: 25
  threat_objects: []
tags:
  analytic_story:
  - Apache Struts Vulnerability
  asset_type: Endpoint
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  security_domain: threat