52
1

Log4j RCE Callback Connection

52

After performing the exploit, the java.exe process is triggered and opens a connection to the outside. As far as I have observed, it is available in legal traffic, but you can search for the sourceip address you have obtained from the proxy as destinationip for this rule. You can legally see a lot of traffic from Java. You need to search for the sourceip addresses that are trying to attack you, as destinationip.

You can detect this attack from the ‘Log4j RCE [CVE-2021-44228] Exploitation Detection Patterns (via SIEM)’ rule in Log4j RCE Exploitation Detection.

  • QRadar AQL
SELECT UTF8(payload), "Image", "sourceip", "destinationip" from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ("Image" ilike '%java.exe') and not ("destinationip" ilike '10%' or "destinationip" ilike '127.0.0.1%' or "destinationip" ilike '192.168.%')
  • Azure Sentinel
SecurityEvent | where ((NewProcessName endswith 'java.exe') and ((DestinationIp !startswith '10' or DestinationIp !startswith '127.0.0.1' or DestinationIp !startswith '192.168.')))
  • Splunk
(source="WinEventLog:" (Image="java.exe") NOT ((DestinationIp="10" OR DestinationIp="127.0.0.1" OR DestinationIp="192.168.*"))) | table Image,SourceIp,DestinationIp
  • Elastic Query
(process.executable:java.exe AND (NOT (destination.ip:(10 OR 127.0.0.1* OR 192.168.*))))
  • RegEx
^(?:.(?=.(?:..java.exe))(?=.(?!.(?:.(?=.(?:.10.|.127.0.0.1.|.192.168..))))))

You can lock addresses on the Firewall: Callback Domains log4j · GitHub

Leave a Reply

Your email address will not be published.

One thought on “Log4j RCE Callback Connection

  1. Добрый вечер спасибо за информацию.