← Back to Explore
sigmahighHunting
Java Payload Strings
Detects possible Java payloads in web access logs
Detection Query
keywords:
- "%24%7B%28%23a%3D%40"
- ${(#a=@
- "%24%7B%40java"
- ${@java
- u0022java
- "%2F%24%7B%23"
- /${#
- new+java.
- getRuntime().exec(
- getRuntime%28%29.exec%28
condition: keywords
Author
frack113, Harjot Singh, "@cyb3rjy0t" (update)
Created
2022-06-04
Data Sources
webserver
References
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
- https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
Tags
cve.2022-26134cve.2021-26084attack.initial-accessattack.t1190
Raw Content
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
- https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
- cve.2022-26134
- cve.2021-26084
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '%24%7B%28%23a%3D%40'
- '${(#a=@'
- '%24%7B%40java'
- '${@java'
- 'u0022java'
- '%2F%24%7B%23'
- '/${#'
- 'new+java.'
- 'getRuntime().exec('
- 'getRuntime%28%29.exec%28'
condition: keywords
falsepositives:
- Legitimate apps
level: high