The hypothesis is that the presence of the Exploit-JBoss.ps1 file indicates potential adversary use of the Empire framework to exploit JBoss vulnerabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise attempts and prevent lateral movement within the network.
YARA Rule
rule Empire_Exploit_JBoss {
meta:
description = "Detects Empire component - file Exploit-JBoss.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
strings:
$s1 = "Exploit-JBoss" fullword ascii
$s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
$s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
$s4 = "http://blog.rvrsh3ll.net" fullword ascii
$s5 = "Remote URL to your own WARFile to deploy." fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled maintenance task that involves running a legitimate PowerShell script named Exploit-JBoss.ps1 as part of a routine system check.
Filter/Exclusion: Check for the presence of a known system admin tool or script in a predefined directory (e.g., C:\Windows\System32\) or within a scheduled task with a known admin user context.
Scenario: A security team is conducting a red team exercise and is using the Empire framework to simulate an attack, including the use of the Exploit-JBoss.ps1 module.
Filter/Exclusion: Filter based on the source IP or user context (e.g., a known red team IP or a user with a specific role like RedTeamUser).
Scenario: A legitimate third-party tool or script (e.g., JBossPatchManager.ps1) is being executed by a system update job, and it has a similar name to the Empire exploit script.
Filter/Exclusion: Check for the presence of a known legitimate script in a specific directory (e.g., C:\Tools\) or use a regex to differentiate based on the full path or script content.
Scenario: A developer is testing a PowerShell script for a JBoss-related automation task and accidentally named the script Exploit-JBoss.ps1.
Filter/Exclusion: Filter based on the user context (e.g., a developer user or a specific group like DevTeam) or check for the presence of a known development directory (e.g., C:\Dev\).
Scenario: A system update or patching process includes a PowerShell script that is named Exploit-JBoss.ps1 as part of a legacy or custom deployment process.
Filter/Exclusion: Check for the presence of a known patching tool or script in a specific directory (e.g