EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Java Writing JSP File

The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.

Detection Query

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name IN ("java","java.exe", "javaw.exe")
  BY _time Processes.action Processes.dest
     Processes.original_file_name Processes.parent_process Processes.parent_process_exec
     Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
     Processes.parent_process_path Processes.process Processes.process_exec
     Processes.process_guid Processes.process_hash Processes.process_id
     Processes.process_integrity_level Processes.process_name Processes.process_path
     Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
  WHERE Filesystem.file_name="*.jsp*"
  BY _time Filesystem.action Filesystem.dest
     Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash
     Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
     Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
     Filesystem.process_id Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| fields _time process_guid file_path file_name file_create_time user dest process_name]
| stats count min(_time) as firstTime max(_time) as lastTime
  BY dest process_name process_guid
     file_name file_path file_create_time
     user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `java_writing_jsp_file_filter`

Author

Michael Haag, Splunk

Data Sources

Sysmon for Linux EventID 1 AND Sysmon for Linux EventID 11

References

Raw Content
name: Java Writing JSP File
id: eb65619c-4f8d-4383-a975-d352765d344b
version: 13
creation_date: '2022-04-05'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the Java process writing a .jsp file to disk, which may indicate a web shell being deployed. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem activities. This activity is significant because web shells can provide attackers with remote control over the compromised server, leading to further exploitation. If confirmed malicious, this could allow unauthorized access, data exfiltration, or further compromise of the affected system, posing a severe security risk.
data_source:
    - Sysmon for Linux EventID 1 AND Sysmon for Linux EventID 11
search: |-
    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
      WHERE Processes.process_name IN ("java","java.exe", "javaw.exe")
      BY _time Processes.action Processes.dest
         Processes.original_file_name Processes.parent_process Processes.parent_process_exec
         Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
         Processes.parent_process_path Processes.process Processes.process_exec
         Processes.process_guid Processes.process_hash Processes.process_id
         Processes.process_integrity_level Processes.process_name Processes.process_path
         Processes.user Processes.user_id Processes.vendor_product
    | `drop_dm_object_name(Processes)`
    | join process_guid [
    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
      WHERE Filesystem.file_name="*.jsp*"
      BY _time Filesystem.action Filesystem.dest
         Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash
         Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
         Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
         Filesystem.process_id Filesystem.user Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | fields _time process_guid file_path file_name file_create_time user dest process_name]
    | stats count min(_time) as firstTime max(_time) as lastTime
      BY dest process_name process_guid
         file_name file_path file_create_time
         user
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `java_writing_jsp_file_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: False positives are possible and filtering may be required. Restrict by assets or filter known jsp files that are common for the environment.
references:
    - https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/
    - https://github.com/TheGejr/SpringShell
    - https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.
    entity:
        field: dest
        type: system
        score: 50
threat_objects:
    - field: process_name
      type: process_name
analytic_story:
    - Spring4Shell CVE-2022-22965
    - Atlassian Confluence Server and Data Center CVE-2022-26134
    - SysAid On-Prem Software CVE-2023-47246 Vulnerability
    - SAP NetWeaver Exploitation
asset_type: Endpoint
cve:
    - CVE-2022-22965
mitre_attack_id:
    - T1190
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log
          source: Syslog:Linux-Sysmon/Operational
          sourcetype: sysmon:linux
      test_type: unit