| #Usage: | |
| # | |
| #NOTE: The script expects an argument which is the full File Path of the EVTX file. | |
| # | |
| #C:\>ExtractAllScripts.ps1 | |
| #The default behavior of the script is to assimilate and extract every script/command to disk. | |
| # | |
| #C:\ExtractAllScripts -List | |
| #This will only list Script Block IDs with associated Script Names(if logged.) | |
| # |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log