EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect attackers scanning for vulnerable JBoss servers

The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE (
        Web.http_method="GET"
        OR
        Web.http_method="HEAD"
    )
    AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*")
  BY Web.http_method, Web.url, Web.src,
     Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`

Author

Bhavin Patel, Splunk

Raw Content
name: Detect attackers scanning for vulnerable JBoss servers
id: 104658f4-afdc-499e-9719-17243f982681
version: 8
creation_date: '2020-04-29'
modification_date: '2026-05-13'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
description: The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.
data_source: []
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
      WHERE (
            Web.http_method="GET"
            OR
            Web.http_method="HEAD"
        )
        AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*")
      BY Web.http_method, Web.url, Web.src,
         Web.dest
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`
how_to_implement: You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.
known_false_positives: It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.
references: []
finding:
    title: Potential Scanning for Vulnerable JBoss Servers - $dest$
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - JBoss Vulnerability
    - SamSam Ransomware
asset_type: Web Server
mitre_attack_id:
    - T1082
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network