Adversaries may use Java payload strings to execute malicious code within web applications, leveraging Java deserialization vulnerabilities to gain unauthorized access. SOC teams should proactively hunt for these patterns in Azure Sentinel to identify and mitigate potential exploitation of Java-based attack vectors.
Detection Rule
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
- https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
- cve.2022-26134
- cve.2021-26084
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '%24%7B%28%23a%3D%40'
- '${(#a=@'
- '%24%7B%40java'
- '${@java'
- 'u0022java'
- '%2F%24%7B%23'
- '/${#'
- 'new+java.'
- 'getRuntime().exec('
- 'getRuntime%28%29.exec%28'
condition: keywords
falsepositives:
- Legitimate apps
level: high
imWebSession
| where "%24%7B%28%23a%3D%40" or "${(#a=@" or "%24%7B%40java" or "${@java" or "u0022java" or "%2F%24%7B%23" or "/${#" or "new+java." or "getRuntime().exec(" or "getRuntime%28%29.exec%28"Scenario: Legitimate Java-based scheduled jobs (e.g., cron or Windows Task Scheduler) executing periodic maintenance tasks
Filter/Exclusion: Exclude entries containing known job names like backup_job, log_cleanup, or scheduled_report in the request path or query parameters.
Scenario: Java-based administrative tools (e.g., JConsole, VisualVM, or JMeter) being used for performance monitoring or load testing
Filter/Exclusion: Exclude requests containing tool-specific paths such as /jconsole, /visualvm, or /jmeter in the URL.
Scenario: Java-based web application frameworks (e.g., Spring Boot, Play Framework, or Vaadin) handling legitimate HTTP requests
Filter/Exclusion: Exclude requests with known framework endpoints like /actuator/health, /api/v1/, or /ui/ in the URL path.
Scenario: Java-based API integrations (e.g., Apache Camel, Spring Integration, or Apache Kafka) processing internal data transfers
Filter/Exclusion: Exclude requests with internal service endpoints such as /internal/api, /kafka/, or /camel/ in the URL.
Scenario: Java-based logging or auditing tools (e.g., Log4j, ELK Stack, or Splunk) sending logs to a centralized logging system
Filter/Exclusion: Exclude requests containing log-related paths like /logstash, /splunk, or /log4j in the URL or query parameters.