talon_s2w

[TALON] log4shell yararule

Dec 13th, 2021
578
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.78 KB | None | 0 0
  1. rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
  2.    meta:
  3.       description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
  4.       author = "Florian Roth"
  5.       reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
  6.       date = "2021-12-10"
  7.       modified = "2021-12-12"
  8.       score = 60
  9.    strings:
  10.       $x1 = "${jndi:ldap:/"
  11.       $x2 = "${jndi:rmi:/"
  12.       $x3 = "${jndi:ldaps:/"
  13.       $x4 = "${jndi:dns:/"
  14.       $x5 = "$%7Bjndi:"
  15.       $x6 = "%2524%257Bjndi"
  16.       $x7 = "%2F%252524%25257Bjndi%3A"
  17.    condition:
  18.       1 of them
  19. }
  20.  
  21. rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
  22.    meta:
  23.       description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
  24.       author = "Florian Roth"
  25.       reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
  26.       date = "2021-12-10"
  27.       score = 80
  28.    strings:
  29.       $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
  30.       $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
  31.    condition:
  32.       $x1 and not 1 of ($fp*)
  33. }
  34.  
  35. rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
  36.    meta:
  37.       description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
  38.       author = "Florian Roth"
  39.       reference = "https://twitter.com/Reelix/status/1469327487243071493"
  40.       date = "2021-12-10"
  41.       score = 70
  42.    strings:
  43.       /* curl -s  */
  44.       $sa1 = "Y3VybCAtcy"
  45.       $sa2 = "N1cmwgLXMg"
  46.       $sa3 = "jdXJsIC1zI"
  47.       /* |wget -q -O-  */
  48.       $sb1 = "fHdnZXQgLXEgLU8tI"
  49.       $sb2 = "x3Z2V0IC1xIC1PLS"
  50.       $sb3 = "8d2dldCAtcSAtTy0g"
  51.    condition:
  52.       1 of ($sa*) and 1 of ($sb*)
  53. }
  54.  
  55. rule SUSP_JDNIExploit_Indicators_Dec21 {
  56.    meta:
  57.       description = "Detects indicators of JDNI usage in log files and other payloads"
  58.       author = "Florian Roth"
  59.       reference = "https://github.com/flypig5211/JNDIExploit"
  60.       date = "2021-12-10"
  61.       score = 70
  62.    strings:
  63.       $xr1 = /ldap:\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\//
  64.    condition:
  65.       filesize < 100MB and $xr1
  66. }
  67.  
  68. rule SUSP_EXPL_OBFUSC_Dec21_1{
  69.    meta:
  70.       description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
  71.       author = "Florian Roth"
  72.       reference = "https://twitter.com/testanull/status/1469549425521348609"
  73.       date = "2021-12-11"
  74.       score = 60
  75.    strings:
  76.       /* ${lower:X} - single character match */
  77.       $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
  78.       /* ${upper:X} - single character match */
  79.       $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
  80.       /* URL encoded lower - obfuscation in URL */
  81.       $ = "$%7blower:"
  82.       $ = "$%7bupper:"
  83.       $ = "%24%7bjndi:"
  84.       $ = "/$%7bjndi:"
  85.    condition:
  86.       1 of them
  87. }
  88.  
  89. rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
  90.    meta:
  91.       description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
  92.       author = "Florian Roth"
  93.       reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
  94.       date = "2021-12-12"
  95.       score = 60
  96.    strings:
  97.       $xa1 = "header with value of BadAttributeValueException: "
  98.      
  99.       $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
  100.       $sa2 = "Error looking up JNDI resource"
  101.    condition:
  102.       $xa1 or all of ($sa*)
  103. }
Add Comment
Please, Sign In to add comment