diff --git a/Detections/SecurityAlert/AVSpringShell.yaml b/Detections/SecurityAlert/AVSpringShell.yaml index 948c18f6fb..ab5236aaa7 100644 --- a/Detections/SecurityAlert/AVSpringShell.yaml +++ b/Detections/SecurityAlert/AVSpringShell.yaml @@ -2,8 +2,8 @@ id: 3bd33158-3f0b-47e3-a50f-7c20a1b88038 name: AV detections related to SpringShell Vulnerability description: | 'This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, - this query joins the DeviceInfo table to clearly connect other information such as Device group, ip,logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the alerts. - Refrence: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/' + this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available. + Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/' severity: High requiredDataConnectors: - connectorId: MicrosoftThreatProtection @@ -22,15 +22,18 @@ tags: - SpringShell - Spring4Shell query: | - let SpringShell_threats = dynamic(["SpringShell"]); + let SpringShell_threats = dynamic(["Trojan:Python/SpringShellExpl", "Exploit:Python/SpringShell", "Backdoor:PHP/Remoteshell.V", "SpringShell"]); DeviceInfo | extend DeviceName = tolower(DeviceName) - | join ( SecurityAlert + | join kind=inner ( SecurityAlert | where ProviderName == "MDATP" + | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName) | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName) - | where ThreatFamilyName in (SpringShell_threats) + | where ThreatName in (SpringShell_threats) or ThreatFamilyName in (SpringShell_threats) | extend CompromisedEntity = tolower(CompromisedEntity) ) on $left.DeviceName == $right.CompromisedEntity + | extend timestamp = TimeGenerated, IPCustomEntity = PublicIP + | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities entityMappings: - entityType: Host fieldMappings: diff --git a/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml b/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml index db1dc6ec53..32b91989a0 100644 --- a/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml +++ b/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml @@ -5,7 +5,7 @@ description: | The Spring Framework is one of the most widely used lightweight open-source framework for Java. To exploit the vulnerability attackers can send a specially crafted query to a web server running the Spring Core framework to change the target of logging facility and create a new malicious JSP file in a location accessible by http requests. Attackers then make requests to the malicious backdoor to run system commands. - Refrence: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/' + Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/' requiredDataConnectors: - connectorId: WAF dataTypes: diff --git a/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml b/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml index 6345e4c970..b452de6c90 100644 --- a/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml +++ b/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml @@ -12,7 +12,7 @@ requiredDataConnectors: tactics: - Execution relevantTechniques: - - T1059 + - T1059.007 tags: - CVE-2022-22965 - SpringShell