sigmamediumHunting

.Class Extension URI Ending Request

Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.

Detection Query

selection:
  c-uri|endswith: .class
condition: selection

Author

Andreas Hunkeler (@Karneades)

Created

2021-12-21

Data Sources

proxy

References

https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/

Tags

attack.initial-accessdetection.threat-hunting

Raw Content

title: .Class Extension URI Ending Request
id: 53c15703-b04c-42bb-9055-1937ddfb3392
status: test
description: |
    Detects requests to URI ending with the ".class" extension in proxy logs.
    This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-21
modified: 2024-02-26
tags:
    - attack.initial-access
    - detection.threat-hunting
logsource:
    category: proxy
detection:
    selection:
        c-uri|endswith: '.class'
    condition: selection
falsepositives:
    - Unknown
level: medium