Potential JAVA/JNDI Exploitation Attempt

This detection rule identifies potential exploitation attempts targeting Java Naming and Directory Interface (JNDI) vulnerabilities. These vulnerabilities, exemplified by CVE-2021-45046, allow attackers to perform remote code execution by injecting malicious payloads through directory services like LDAP. The rule focuses on detecting suspicious outbound network connections from Java processes to standard ports associated with LDAP (389, 1389), RMI (1099), and DNS (53, 5353), followed by the execution of suspicious child processes indicative of command execution such as shell interpreters (sh, bash, zsh) or scripting languages (python, perl). The rule aims to identify exploitation attempts similar to those seen with Log4Shell and related vulnerabilities, which have been actively exploited since late 2021. It covers Linux and macOS environments and provides a mechanism to detect ongoing exploitation.

Attack Chain

1. A vulnerable Java application receives malicious input containing a JNDI lookup string.
2. The Java application attempts to resolve the JNDI name, initiating an outbound network connection to an LDAP, RMI, or DNS server on ports 389, 1389, 1099, 53, or 5353.
3. The malicious LDAP/RMI/DNS server, controlled by the attacker, responds with a payload referencing a malicious Java class or remote code.
4. The Java application loads and executes the malicious code.
5. As a result of the executed code, a shell interpreter (sh, bash, zsh, etc.) or scripting language (python, perl, ruby, php, wget) is spawned as a child process of the Java application.
6. The spawned shell/script executes attacker-controlled commands for reconnaissance, privilege escalation, or lateral movement.
7. The attacker gains a foothold on the system.
8. The attacker performs actions such as data exfiltration or deploying malware.

Impact

Successful exploitation of JNDI vulnerabilities can lead to remote code execution, allowing attackers to gain complete control over affected systems. This can result in data breaches, system compromise, and further propagation of attacks within the network. The impact can range from service disruption to complete system takeover. Public exploits for vulnerabilities such as Log4Shell have been widely available, leading to widespread scanning and exploitation attempts across various industries.

Recommendation

• Deploy the Sigma rule “Potential JAVA/JNDI Exploitation Attempt” to your SIEM to detect suspicious Java processes initiating network connections to LDAP, RMI, or DNS ports followed by suspicious child processes.
• Enable process creation and network connection logging on Linux and macOS endpoints to provide the necessary data for the Sigma rules to function correctly.
• Review and whitelist legitimate Java applications that may trigger false positives due to legitimate network connections (see the “False positive analysis” section in the original rule’s note field).
• Implement network segmentation to limit the impact of successful exploitation by restricting lateral movement.
• Patch vulnerable Java applications and libraries, such as Log4j, to prevent exploitation of known vulnerabilities like CVE-2021-45046.