Updated queries as per suggestions from Shain.
This commit is contained in:
Родитель
65a66d758d
Коммит
7683f1f965
|
@ -2,8 +2,8 @@ id: 3bd33158-3f0b-47e3-a50f-7c20a1b88038
|
|||
name: AV detections related to SpringShell Vulnerability
|
||||
description: |
|
||||
'This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,
|
||||
this query joins the DeviceInfo table to clearly connect other information such as Device group, ip,logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the alerts.
|
||||
Refrence: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
|
||||
this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.
|
||||
Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
|
@ -22,15 +22,18 @@ tags:
|
|||
- SpringShell
|
||||
- Spring4Shell
|
||||
query: |
|
||||
let SpringShell_threats = dynamic(["SpringShell"]);
|
||||
let SpringShell_threats = dynamic(["Trojan:Python/SpringShellExpl", "Exploit:Python/SpringShell", "Backdoor:PHP/Remoteshell.V", "SpringShell"]);
|
||||
DeviceInfo
|
||||
| extend DeviceName = tolower(DeviceName)
|
||||
| join ( SecurityAlert
|
||||
| join kind=inner ( SecurityAlert
|
||||
| where ProviderName == "MDATP"
|
||||
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
|
||||
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
|
||||
| where ThreatFamilyName in (SpringShell_threats)
|
||||
| where ThreatName in (SpringShell_threats) or ThreatFamilyName in (SpringShell_threats)
|
||||
| extend CompromisedEntity = tolower(CompromisedEntity)
|
||||
) on $left.DeviceName == $right.CompromisedEntity
|
||||
| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP
|
||||
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
|
|
|
@ -5,7 +5,7 @@ description: |
|
|||
The Spring Framework is one of the most widely used lightweight open-source framework for Java. To exploit the vulnerability attackers can
|
||||
send a specially crafted query to a web server running the Spring Core framework to change the target of logging facility and create a new
|
||||
malicious JSP file in a location accessible by http requests. Attackers then make requests to the malicious backdoor to run system commands.
|
||||
Refrence: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
|
||||
Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/'
|
||||
requiredDataConnectors:
|
||||
- connectorId: WAF
|
||||
dataTypes:
|
||||
|
|
|
@ -12,7 +12,7 @@ requiredDataConnectors:
|
|||
tactics:
|
||||
- Execution
|
||||
relevantTechniques:
|
||||
- T1059
|
||||
- T1059.007
|
||||
tags:
|
||||
- CVE-2022-22965
|
||||
- SpringShell
|
||||
|
|
Загрузка…
Ссылка в новой задаче