Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
- meta:
- description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
- author = "Florian Roth"
- reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
- date = "2021-12-10"
- modified = "2021-12-12"
- score = 60
- strings:
- $x1 = "${jndi:ldap:/"
- $x2 = "${jndi:rmi:/"
- $x3 = "${jndi:ldaps:/"
- $x4 = "${jndi:dns:/"
- $x5 = "$%7Bjndi:"
- $x6 = "%2524%257Bjndi"
- $x7 = "%2F%252524%25257Bjndi%3A"
- condition:
- 1 of them
- }
- rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
- meta:
- description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
- author = "Florian Roth"
- reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
- date = "2021-12-10"
- score = 80
- strings:
- $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
- $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
- condition:
- $x1 and not 1 of ($fp*)
- }
- rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
- meta:
- description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
- author = "Florian Roth"
- reference = "https://twitter.com/Reelix/status/1469327487243071493"
- date = "2021-12-10"
- score = 70
- strings:
- /* curl -s */
- $sa1 = "Y3VybCAtcy"
- $sa2 = "N1cmwgLXMg"
- $sa3 = "jdXJsIC1zI"
- /* |wget -q -O- */
- $sb1 = "fHdnZXQgLXEgLU8tI"
- $sb2 = "x3Z2V0IC1xIC1PLS"
- $sb3 = "8d2dldCAtcSAtTy0g"
- condition:
- 1 of ($sa*) and 1 of ($sb*)
- }
- rule SUSP_JDNIExploit_Indicators_Dec21 {
- meta:
- description = "Detects indicators of JDNI usage in log files and other payloads"
- author = "Florian Roth"
- reference = "https://github.com/flypig5211/JNDIExploit"
- date = "2021-12-10"
- score = 70
- strings:
- $xr1 = /ldap:\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\//
- condition:
- filesize < 100MB and $xr1
- }
- rule SUSP_EXPL_OBFUSC_Dec21_1{
- meta:
- description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
- author = "Florian Roth"
- reference = "https://twitter.com/testanull/status/1469549425521348609"
- date = "2021-12-11"
- score = 60
- strings:
- /* ${lower:X} - single character match */
- $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
- /* ${upper:X} - single character match */
- $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
- /* URL encoded lower - obfuscation in URL */
- $ = "$%7blower:"
- $ = "$%7bupper:"
- $ = "%24%7bjndi:"
- $ = "/$%7bjndi:"
- condition:
- 1 of them
- }
- rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
- meta:
- description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
- author = "Florian Roth"
- reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
- date = "2021-12-12"
- score = 60
- strings:
- $xa1 = "header with value of BadAttributeValueException: "
- $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
- $sa2 = "Error looking up JNDI resource"
- condition:
- $xa1 or all of ($sa*)
- }
Add Comment
Please, Sign In to add comment