You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
Guide by Florian Roth
https://www.minecraft.net/en-us/store/minecraft-java-edition/
I've transformed this gist into a git repository.
Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
| import hashlib | |
| import re | |
| def calculate_rule_hash(rule): | |
| """ | |
| Calculates a hash over the relevant YARA rule content (string contents, sorted condition) | |
| Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara | |
| :param rule: yara rule object | |
| :return hash: generated hash | |
| """ |
| import itertools | |
| s = "cmd.exe" | |
| list(map(''.join, itertools.product(*zip(s.upper(), s.lower())))) |
| rule SUSP_Netscaler_Forensic_Artefacts { | |
| meta: | |
| description = "Detects strings / forensic artefacts on exploited Netscaler systems" | |
| author = "Florian Roth" | |
| reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/" | |
| date = "2020-01-14" | |
| score = 70 | |
| strings: | |
| $ = "shell_command=\"whoami\"" ascii |
| # ################################################################################ | |
| # IMPORTANT NOTE | |
| # The most recent version of this POC rule can now be found in the main repository | |
| # https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
| # ################################################################################ | |
| # _____ __ __ ___ __ | |
| # / ___/__ ___/ / / |/ /__ ___/ /__ | |
| # / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| # \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
| # / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
π£ Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
πΊ Television | MZ |
MZ header |
SUVY |
π SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
π£ Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
π£ Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
πͺ "Pah!" | <. |
Often used by Emotet (UTF-16) |
| title: Suspicious Keyboard Layout Load | |
| description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
| references: | |
| - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
| author: Florian Roth | |
| date: 2019/10/12 | |
| logsource: | |
| product: windows | |
| service: sysmon | |
| definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |
| /* | |
| WARNING: | |
| the newest version of this rule is now hosted here: | |
| https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
| */ | |
| /* | |
| _____ __ __ ___ __ |