You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
This command searches for exploitation attempts in compressed files in folder /var/log
and all sub folders
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'
These commands cover even the obfuscated variants but lack the file name in a match.
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"\;
This command searches for exploitation attempts in compressed files in folder /var/log
and all sub folders
sudo find /var/log/test/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
Preliminary YARA rules (work in progress)
rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
meta:
description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
date = "2021-12-10"
score = 60
strings:
$x1 = "${jndi:ldap:/"
$x2 = "${jndi:rmi:/"
$x3 = "${jndi:ldaps:/"
$x4 = "${jndi:dns:/"
condition:
1 of them
}
rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
meta:
description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
date = "2021-12-10"
score = 80
strings:
$x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
$fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
condition:
$x1 and not 1 of ($fp*)
}
rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
meta:
description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/Reelix/status/1469327487243071493"
date = "2021-12-10"
score = 70
strings:
/* curl -s */
$sa1 = "Y3VybCAtcy"
$sa2 = "N1cmwgLXMg"
$sa3 = "jdXJsIC1zI"
/* |wget -q -O- */
$sb1 = "fHdnZXQgLXEgLU8tI"
$sb2 = "x3Z2V0IC1xIC1PLS"
$sb3 = "8d2dldCAtcSAtTy0g"
condition:
1 of ($sa*) and 1 of ($sb*)
}
Please report findings that are not covered by these detection attempts.
I got help and ideas from