Skip to content

Instantly share code, notes, and snippets.

@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active September 11, 2024 21:41
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@vikas891
vikas891 / ExtractAllScripts.ps1
Last active July 16, 2024 19:32
A PowerShell script to re-construct a suspicious .PS1 from script-blocks recorded in Event ID 4104
#Usage:
#
#NOTE: The script expects an argument which is the full File Path of the EVTX file.
#
#C:\>ExtractAllScripts.ps1
#The default behavior of the script is to assimilate and extract every script/command to disk.
#
#C:\ExtractAllScripts -List
#This will only list Script Block IDs with associated Script Names(if logged.)
#