EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Suspicious Java Classes

The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts. It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source. This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.

MITRE ATT&CK

T1190
initial-access

Detection Query

`stream_http`
http_method=POST
http_content_length>1
| regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)"
| rename src_ip as src
| stats count earliest(_time) as firstTime
              latest(_time) as lastTime
              values(url) as uri
              values(status) as status
              values(http_user_agent) as http_user_agent
  BY src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_java_classes_filter`

Author

Jose Hernandez, Splunk

Created

2026-03-25

Tags

Apache Struts Vulnerability
Raw Content
name: Suspicious Java Classes
id: 6ed33786-5e87-4f55-b62c-cb5f1168b831
version: 8
date: '2026-03-25'
author: Jose Hernandez, Splunk
status: experimental
type: Anomaly
description: |-
    The following analytic identifies suspicious Java classes often used for remote command execution exploits in Java frameworks like Apache Struts.
    It detects this activity by analyzing HTTP POST requests with specific content patterns using Splunk's `stream_http` data source.
    This behavior is significant because it may indicate an attempt to exploit vulnerabilities in web applications, potentially leading to unauthorized remote code execution.
    If confirmed malicious, this activity could allow attackers to execute arbitrary commands on the server, leading to data breaches, system compromise, and further network infiltration.
data_source: []
search: |-
    `stream_http`
    http_method=POST
    http_content_length>1
    | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)"
    | rename src_ip as src
    | stats count earliest(_time) as firstTime
                  latest(_time) as lastTime
                  values(url) as uri
                  values(status) as status
                  values(http_user_agent) as http_user_agent
      BY src dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `suspicious_java_classes_filter`
how_to_implement: |-
    In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers.
    This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.
known_false_positives: |-
    No false positives have been identified at this time.
references: []
rba:
    message: Suspicious Java Classes in HTTP requests involving $src$ and $dest$
    risk_objects:
        - field: src
          type: system
          score: 20
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Apache Struts Vulnerability
    asset_type: Endpoint
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat