The JNDIExploit Pattern detects adversaries leveraging JNDI to establish remote code execution through a malicious exploit kit, indicating a targeted attempt to compromise internal systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that exploit JNDI for command and control.
Detection Rule
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
- https://github.com/pimps/JNDI-Exploit-Kit
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '/Basic/Command/Base64/'
- '/Basic/ReverseShell/'
- '/Basic/TomcatMemshell'
- '/Basic/JettyMemshell'
- '/Basic/WeblogicMemshell'
- '/Basic/JBossMemshell'
- '/Basic/WebsphereMemshell'
- '/Basic/SpringMemshell'
- '/Deserialization/URLDNS/'
- '/Deserialization/CommonsCollections1/Dnslog/'
- '/Deserialization/CommonsCollections2/Command/Base64/'
- '/Deserialization/CommonsBeanutils1/ReverseShell/'
- '/Deserialization/Jre8u20/TomcatMemshell'
- '/TomcatBypass/Dnslog/'
- '/TomcatBypass/Command/'
- '/TomcatBypass/ReverseShell/'
- '/TomcatBypass/TomcatMemshell'
- '/TomcatBypass/SpringMemshell'
- '/GroovyBypass/Command/'
- '/WebsphereBypass/Upload/'
condition: keywords
falsepositives:
- Legitimate apps the use these paths
level: high
imWebSession
| where "/Basic/Command/Base64/" or "/Basic/ReverseShell/" or "/Basic/TomcatMemshell" or "/Basic/JettyMemshell" or "/Basic/WeblogicMemshell" or "/Basic/JBossMemshell" or "/Basic/WebsphereMemshell" or "/Basic/SpringMemshell" or "/Deserialization/URLDNS/" or "/Deserialization/CommonsCollections1/Dnslog/" or "/Deserialization/CommonsCollections2/Command/Base64/" or "/Deserialization/CommonsBeanutils1/ReverseShell/" or "/Deserialization/Jre8u20/TomcatMemshell" or "/TomcatBypass/Dnslog/" or "/TomcatBypass/Command/" or "/TomcatBypass/ReverseShell/" or "/TomcatBypass/TomcatMemshell" or "/TomcatBypass/SpringMemshell" or "/GroovyBypass/Command/" or "/WebsphereBypass/Upload/"Scenario: Scheduled Job for LDAP Sync
Description: A legitimate scheduled job runs to synchronize user data from an LDAP directory using JNDI.
Filter/Exclusion: Exclude processes initiated by the system service account (e.g., svc-ldap-sync) or filter by process name like ldap-sync.exe or ldap-sync.sh.
Scenario: Admin Task for JNDI-based Configuration Management
Description: An administrator uses a JNDI-based tool (e.g., Apache Directory Studio) to configure or manage directory services.
Filter/Exclusion: Exclude processes initiated by the admin user (e.g., admin) or filter by tool name like apacheds-studio or directory-studio.
Scenario: Java Application Using JNDI for Data Access
Description: A Java-based enterprise application (e.g., Java EE app using JNDI for database lookups) triggers JNDI calls during normal operation.
Filter/Exclusion: Exclude processes running under the application server (e.g., java -jar app-server.jar) or filter by application name or class name (e.g., com.example.App).
Scenario: JNDI-based Logging or Monitoring Tool
Description: A monitoring tool (e.g., JNDI-based log aggregation system) uses JNDI to connect to a remote logging server.
Filter/Exclusion: Exclude processes associated with the monitoring tool (e.g., log-aggregator.jar) or filter by IP address of the logging server.
Scenario: Java Agent or Instrumentation Tool
Description: A Java agent (e.g., for performance monitoring or code coverage) uses JNDI for internal communication.
Filter/Exclusion: Exclude processes with known agent signatures (e.g., javaagent) or filter by process name like