EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Java Writing JSP File

The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.

MITRE ATT&CK

T1190T1133
initial-accesspersistence

Detection Query

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name IN ("java","java.exe", "javaw.exe")
  BY _time Processes.action Processes.dest
     Processes.original_file_name Processes.parent_process Processes.parent_process_exec
     Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
     Processes.parent_process_path Processes.process Processes.process_exec
     Processes.process_guid Processes.process_hash Processes.process_id
     Processes.process_integrity_level Processes.process_name Processes.process_path
     Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
  WHERE Filesystem.file_name="*.jsp*"
  BY _time Filesystem.action Filesystem.dest
     Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash
     Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
     Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
     Filesystem.process_id Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| fields _time process_guid file_path file_name file_create_time user dest process_name]
| stats count min(_time) as firstTime max(_time) as lastTime
  BY dest process_name process_guid
     file_name file_path file_create_time
     user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `java_writing_jsp_file_filter`

Author

Michael Haag, Splunk

Created

2026-03-10

Data Sources

Sysmon for Linux EventID 1 AND Sysmon for Linux EventID 11

References

Tags

Spring4Shell CVE-2022-22965Atlassian Confluence Server and Data Center CVE-2022-26134SysAid On-Prem Software CVE-2023-47246 VulnerabilitySAP NetWeaver Exploitation
Raw Content
name: Java Writing JSP File
id: eb65619c-4f8d-4383-a975-d352765d344b
version: 11
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.
data_source:
    - Sysmon for Linux EventID 1 AND Sysmon for Linux EventID 11
search: |-
    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
      WHERE Processes.process_name IN ("java","java.exe", "javaw.exe")
      BY _time Processes.action Processes.dest
         Processes.original_file_name Processes.parent_process Processes.parent_process_exec
         Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
         Processes.parent_process_path Processes.process Processes.process_exec
         Processes.process_guid Processes.process_hash Processes.process_id
         Processes.process_integrity_level Processes.process_name Processes.process_path
         Processes.user Processes.user_id Processes.vendor_product
    | `drop_dm_object_name(Processes)`
    | join process_guid [
    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
      WHERE Filesystem.file_name="*.jsp*"
      BY _time Filesystem.action Filesystem.dest
         Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash
         Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
         Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
         Filesystem.process_id Filesystem.user Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | fields _time process_guid file_path file_name file_create_time user dest process_name]
    | stats count min(_time) as firstTime max(_time) as lastTime
      BY dest process_name process_guid
         file_name file_path file_create_time
         user
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `java_writing_jsp_file_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.
references:
    - https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/
    - https://github.com/TheGejr/SpringShell
    - https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Spring4Shell CVE-2022-22965
        - Atlassian Confluence Server and Data Center CVE-2022-26134
        - SysAid On-Prem Software CVE-2023-47246 Vulnerability
        - SAP NetWeaver Exploitation
    asset_type: Endpoint
    cve:
        - CVE-2022-22965
    mitre_attack_id:
        - T1190
        - T1133
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log
          source: Syslog:Linux-Sysmon/Operational
          sourcetype: sysmon:linux