Exploit Public Facing Application via Apache Commons Text

name: Exploit Public Facing Application via Apache Commons Text
id: 19a481e0-c97c-4d14-b1db-75a708eb592e
version: 9
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic detects attempts to exploit the CVE-2022-42889 vulnerability in the Apache Commons Text Library, known as Text4Shell. It leverages the Web datamodel to identify suspicious HTTP requests containing specific lookup keys (url, dns, script) that can lead to Remote Code Execution (RCE). This activity is significant as it targets a critical vulnerability that can allow attackers to execute arbitrary code on the server. If confirmed malicious, this could lead to full system compromise, data exfiltration, or further lateral movement within the network.
data_source:
    - Nginx Access
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
      WHERE Web.http_method IN (POST, GET)
      BY Web.src Web.status Web.uri_path
         Web.dest Web.http_method Web.uri_query
         Web.http_user_agent
    | `drop_dm_object_name("Web")`
    | eval utf=if(like(lower(uri_query),"%:utf-8:http%"),2,0)
    | eval lookup = if(like(lower(uri_query), "%url%") OR like(lower(uri_query), "%dns%") OR like(lower(uri_query), "%script%"),2,0)
    | eval other_lookups = if(like(lower(uri_query), "%env%") OR like(lower(uri_query), "%file%") OR like(lower(uri_query), "%getRuntime%") OR like(lower(uri_query), "%java%") OR like(lower(uri_query), "%localhost%") OR like(lower(uri_query), "%properties%") OR like(lower(uri_query), "%resource%") OR like(lower(uri_query), "%sys%") OR like(lower(uri_query), "%xml%") OR like(lower(uri_query), "%base%"),1,0)
    | addtotals fieldname=Score utf lookup other_lookups
    | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | where Score >= 3
    | `exploit_public_facing_application_via_apache_commons_text_filter`
how_to_implement: To implement, one must be collecting network traffic that is normalized in CIM and able to be queried via the Web datamodel. Or, take the chunks out needed and tie to a specific network source type to hunt in. Tune as needed, or remove the other_lookups statement.
known_false_positives: False positives are present when the values are set to 1 for utf and lookup. It's possible to raise this to TTP (direct finding) if removal of other_lookups occur and Score is raised to 2 (down from 4).
references:
    - https://sysdig.com/blog/cve-2022-42889-text4shell/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-42889
    - https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
    - https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
    - https://github.com/kljunowsky/CVE-2022-42889-text4shell
    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A URL was requested related to Text4Shell on $dest$ by $src$.
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Text4Shell CVE-2022-42889
    asset_type: Web Server
    cve:
        - CVE-2022-42889
    mitre_attack_id:
        - T1133
        - T1190
        - T1505.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log
          source: nginx:plus:kv
          sourcetype: nginx:plus:kv