Potential JAVA/JNDI Exploitation Attempt

Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.

Rule type: eql

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 101 (version history)

Added (Elastic Stack release): 8.1.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

sequence by host.id with maxspan=1m [network where event.action ==
"connection_attempted" and process.name : "java" and /*
outbound connection attempt to LDAP, RMI or DNS standard ports
by JAVA process */ destination.port in (1389, 389, 1099, 53,
5353)] by process.pid [process where event.type == "start" and /*
Suspicious JAVA child process */ process.parent.name : "java" and
process.name : ("sh", "bash",
"dash", "ksh", "tcsh",
"zsh", "curl", "perl*",
"python*", "ruby*", "php*",
"wget")] by process.parent.pid