Potential JAVA/JNDI Exploitation Attempt

edit

Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • macOS
  • Threat Detection
  • Execution

Version: 100 (version history)

Added (Elastic Stack release): 8.1.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan=1m [network where event.action ==
"connection_attempted" and process.name : "java" and /*
outbound connection attempt to LDAP, RMI or DNS standard ports
by JAVA process */ destination.port in (1389, 389, 1099, 53,
5353)] by process.pid [process where event.type == "start" and /*
Suspicious JAVA child process */ process.parent.name : "java" and
process.name : ("sh", "bash",
"dash", "ksh", "tcsh",
"zsh", "curl", "perl*",
"python*", "ruby*", "php*",
"wget")] by process.parent.pid

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 100 (8.5.0 release)
  • Formatting only
Version 3 (8.4.0 release)
  • Formatting only
Version 2 (8.2.0 release)
  • Formatting only