Diamond Model of Intrusion Analysis in Practice

Michael Koczwara
3 min readMay 30, 2022

LetsDefend: SOC171-Spring4Shell

Diamond Model

Log Analysis

EventID 121
SOC171 — Spring4Shell Activity

Spring4Shell 0-Day Vulnerability is a Remote Code Execution (RCE) vulnerability. According to public information, a successful exploitation would enable the Threat Actors to have arbitrary file upload privilege.

Suspicious parameter & detection rules triggered:

  • /tomcatwar.jsp?pwd=j&cmd=cat%20/etc/shadow
  • java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di payload in POST data
Affected SpringServer
Log Analysis

An attacker has conducted port scanning and then tried to exploit the service on port 8082 with the “Spring4Shell” vulnerability. Assuming the attack was successful, the attacker should have run various commands on the webserver. Network traffic with source 3.21.128[.]255 and destination address “172.31.34[.]218” (IP address of SpringServer host) is filtered.

Looking at the results, we see that the attacker successfully executed the commands “whoami, pwd, cat /etc/passwd, cat /etc/shadow” and received responses.

Spring4Shell exploit

An attacker sent the whoami command and received the root response.