http://www.cvedetails.com/cve/cve-2015-5889

Hunt Hypothesis

An adversary may be exploiting a known vulnerability in Apache Struts to execute arbitrary code, indicating potential unauthorized access and persistence within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate low-severity threats that could escalate into more severe breaches.

YARA Rule

rule hacktool_macos_exploit_cve_5889
{
    meta:
        description = "http://www.cvedetails.com/cve/cve-2015-5889"
        reference = "https://www.exploit-db.com/exploits/38371/"
        author = "@mimeframe"
        id = "fbc2c577-6954-51aa-a79f-974f856faf42"
    strings:
        $a1 = "/etc/sudoers" fullword wide ascii
        $a2 = "/etc/crontab" fullword wide ascii
        $a3 = "* * * * * root echo" wide ascii
        $a4 = "ALL ALL=(ALL) NOPASSWD: ALL" wide ascii
        $a5 = "/usr/bin/rsh" fullword wide ascii
        $a6 = "localhost" fullword wide ascii
    condition:
        all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://www.exploit-db.com/exploits/38371/
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update via yum or apt
  Description: A system administrator is performing a routine package update using yum or apt, which may trigger the rule due to network traffic associated with the update process.
  Filter/Exclusion: Check for process names like yum, apt, or dnf in the event data. Exclude events where the process is running with elevated privileges (e.g., sudo or root).

• Scenario: Scheduled backup job using rsync or tar
  Description: A scheduled backup job is transferring large amounts of data over HTTP, which could be misinterpreted as malicious activity due to the nature of the traffic.
  Filter/Exclusion: Filter events where the source or destination IP is known internal infrastructure (e.g., 10.0.0.0/8), or where the process is rsync, tar, or scp.

• Scenario: Internal HTTP service communication (e.g., nginx or Apache)
  Description: Internal services such as nginx or Apache may communicate over HTTP, which could be flagged by the rule due to the presence of HTTP traffic.
  Filter/Exclusion: Exclude traffic between internal hosts (e.g., 192.168.0.0/16) or filter by known internal service names like nginx, httpd, or apache.

• Scenario: User-initiated file download from a trusted repository
  Description: A user is downloading a file from a known trusted repository (e.g., github.com, sourceforge.net) for development or testing purposes.
  Filter/Exclusion: Exclude events where the URL domain is a known trusted source, or where the user is a developer with elevated access privileges.

• Scenario: Automated CI