398
2

Log4j RCE Exploitation Detection

398

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228.

Related News:
Log4j RCE Callback Connection
Live Log4J worldwide threat tracker

  • QRadar AQL
SELECT UTF8(payload) from events where ((("user_agent" ilike '%jndi%') and ("user_agent" ilike '%ldap%' or "user_agent" ilike '%rmi%' or "user_agent" ilike '%ldaps%' or "user_agent" ilike '%dns%' or "user_agent" ilike '%lower%' or "user_agent" ilike '%upper%')) or (("URL" ilike '%jndi%') and ("URL" ilike '%ldap%' or "URL" ilike '%rmi%' or "URL" ilike '%ldaps%' or "URL" ilike '%dns%' or "URL" ilike '%lower%' or "URL" ilike '%upper%'))) or (("post-body" ilike '%jndi%') and ("post-body" ilike '%ldap%' or "post-body" ilike '%rmi%' or "post-body" ilike '%ldaps%' or "post-body" ilike '%dns%' or "post-body" ilike '%lower%' or "post-body" ilike '%upper%'))
  • Splunk
((((c-useragent="jndi") (c-useragent="ldap" OR c-useragent="rmi" OR c-useragent="ldaps" OR c-useragent="dns" OR c-useragent="lower" OR c-useragent="upper")) OR ((c-uri="jndi") (c-uri="ldap" OR c-uri="rmi" OR c-uri="ldaps" OR c-uri="dns" OR c-uri="lower" OR c-uri="upper"))) OR ((post-body="jndi") (post-body="ldap" OR post-body="rmi" OR post-body="ldaps" OR post-body="dns" OR post-body="lower" OR post-body="upper")))
  • Elastic Query
(((user_agent.original:jndi AND user_agent.original:(ldap OR rmi OR ldaps OR dns OR lower OR upper)) OR (url.original:jndi AND url.original:(ldap OR rmi OR ldaps OR dns OR lower OR upper))) OR (post-body:jndi AND post-body:(ldap OR rmi OR ldaps OR dns OR lower OR upper)))
  • RegEx
^(?:.(?:.(?:.(?:.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))|.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))))|.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))))
  • Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$({|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log -name *.gz -print0 | xargs -0 zgrep -E -i '\$({|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+'
  • Grep / Zgrep – Obfuscated Variants

These commands cover even the obfuscated variants but lack the file name in a match.

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
  • Log4Shell Detector (Python)

Python based scanner to detect the most obfuscated forms of the exploit codes.

GitHub – Neo23x0/log4shell-detector: Detector for Log4Shell exploitation attempts

  • Find Vulnerable Software (Windows)
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
  • Detects indicators of JDNI usage in log files and other payloads
ldap:\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\/
  • Detects indicators in server logs that indicate the exploitation of CVE-2021-44228
$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}

Recommendation:

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

Leave a Reply

Your email address will not be published.

2 thoughts on “Log4j RCE Exploitation Detection

  1. · 30.12.2021 at 03:09

    Great blog thanks for posting it!

  2. This command searches for exploitation attempts i Great post thanks for sharing it!