KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Active Exploitation Of Critical Apache Tomcat RCE Vulnerability

Query

// https://www.greynoise.io/blog/active-exploitation-critical-apache-tomcat-rce-vulnerability-cve-2025-24813

let GreyNoiseMaliciousIPs = dynamic(["176.65.138.172","38.126.114.186",
"188.213.161.98","140.143.182.115","196.240.54.120"]);
let InternetFacing =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
let PublicFacingTomcatInstances =
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where InitiatingProcessFileName has "tomcat"
| summarize arg_max(TimeGenerated, *) by DeviceId
| where DeviceId has_any(InternetFacing)
| project DeviceId;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where DeviceId has_any(PublicFacingTomcatInstances)
| where RemoteIP has_any(GreyNoiseMaliciousIPs)

Explanation

This KQL (Kusto Query Language) query is designed to identify potential security threats related to Apache Tomcat servers that are exposed to the internet. Here's a simple breakdown of what the query does:

  1. Define Malicious IPs: It starts by listing a set of known malicious IP addresses, which are suspected of exploiting a critical vulnerability in Apache Tomcat.

  2. Identify Internet-Facing Devices: It filters out devices that are exposed to the internet by checking if they have a public IP address.

  3. Find Public-Facing Tomcat Instances: It looks for instances of the Apache Tomcat process running on these internet-facing devices within the last 30 days. It ensures that only the most recent instance of each device is considered.

  4. Check for Malicious Activity: Finally, it examines network events from the last 7 days to see if any of these public-facing Tomcat instances have communicated with the known malicious IPs.

In summary, this query is used to detect if any publicly accessible Apache Tomcat servers in your network have interacted with IP addresses known for malicious activity, potentially indicating an exploitation attempt.

Details

Steven Lim profile picture

Steven Lim

Released: March 21, 2025

Tables

DeviceInfoDeviceProcessEventsDeviceNetworkEvents

Keywords

DeviceInfoDeviceProcessEventsDeviceNetworkEventsPublicIPDeviceIdRemoteIPTimeGeneratedTimestampInitiatingProcessFileName

Operators

letdynamicwhereandisnotemptydistinctsummarizearg_maxbyprojecthashas_any>ago

Actions