-
Notifications
You must be signed in to change notification settings - Fork 0
/
Exploitation attempt against SpringShell (CVE-2022-22965)
29 lines (28 loc) · 1.42 KB
/
Exploitation attempt against SpringShell (CVE-2022-22965)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# AzureSentinel-
Analytic Rules
//At least two vulnerabilities in the Spring Framework for Java have been publicly disclosed and
//can allow an attacker to remotely execute arbitrary code on an affected device.
//Microsoft is aware of these vulnerabilities and is actively investigating.
// Get any devices with SpringShell related Alert Activity
let DevicesSpringShellAlerts = AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against SpringShell (CVE-2022-22965)',
'Suspicious process executed by a network service',
'Possible target of SpringShell exploitation (CVE-2022-22965)',
'Possible target of SpringShell exploitation',
'Possible SpringShell exploitation',
'Network connection seen in CVE-2022-22965 exploitation',
'SpringShell exploitation detected',
'Possible exploitation of CVE-2022-22965',
'Possible target of SpringShell vulnerability (CVE-2022-22965) scanning',
'Possible source of SpringShell exploitation')
// Join in evidence information
| join AlertEvidence on AlertId
| where DeviceId != ""
| summarize by DeviceId, Title;
// Get additional alert activity for each device
AlertEvidence
| where DeviceId in(DevicesSpringShellAlerts)
// Add additional info
| join kind=leftouter AlertInfo on AlertId
| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 10d)