Log4Shell YARA IOC

Posted Under: IOCs, Log4j, PowerShell, Shell, Snort, Tutorials, YARA on Dec 11, 2021

Log4Shell is an Remote Code Execution (RCE) vulnerability (CVE-2021-44228) in one of the most used enterprise Logging product Apache Log4j. Its affecting Apache Log4j versions 2.0 through 2.14.1. Apache has released and emergency patch to address the issue. The best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to false, mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart.

Download Log4j Log4Shell Vulnerability Scanner to detect Vulnerable hosts.

In the mean time YARA rules can be deployed at IDS/IPS level to mitigate it.

Log4Shell YARA Rules

rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
   meta:
      description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
      date = "2021-12-12"
      score = 60
   strings:
      $xa1 = "header with value of BadAttributeValueException: "
      
      $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
      $sa2 = "Error looking up JNDI resource"
   condition:
      $xa1 or all of ($sa*)
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      modified = "2021-12-12"
      score = 60
   strings:
      $x1 = "${jndi:ldap:/"
      $x2 = "${jndi:rmi:/"
      $x3 = "${jndi:ldaps:/"
      $x4 = "${jndi:dns:/"
      $x5 = "${jndi:iiop:/"
      $x6 = "${jndi:http:/"
      $x7 = "${jndi:nis:/"
   condition:
      1 of them
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
   meta:
      description = "Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-12"
      score = 60
   strings:
      $x1 = "$%7Bjndi:"
      $x2 = "%2524%257Bjndi"
      $x3 = "%2F%252524%25257Bjndi%3A"
      $x4 = "${jndi:${lower:"
      $x5 = "${::-j}${"
   condition:
      1 of them
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      modified = "2021-12-12"
      score = 80
   strings:
      $x1 = /∖$∖{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis):∖/[∖/]?[a-z-∖.0-9]{3,120}:[0-9]{2,5}∖/[a-zA-Z∖.]{1,32}∖}/
      $fp1r = /(ldap|rmi|ldaps|dns):∖/[∖/]?(127∖.0∖.0∖.1|192∖.168∖.|172∖.[1-3][0-9]∖.|10∖.)/
   condition:
      $x1 and not 1 of ($fp*)
}

rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
   meta:
      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/Reelix/status/1469327487243071493"
      date = "2021-12-10"
      score = 70
   strings:
      /* curl -s  */
      $sa1 = "Y3VybCAtcy"
      $sa2 = "N1cmwgLXMg"
      $sa3 = "jdXJsIC1zI"
      /* |wget -q -O-  */
      $sb1 = "fHdnZXQgLXEgLU8tI"
      $sb2 = "x3Z2V0IC1xIC1PLS"
      $sb3 = "8d2dldCAtcSAtTy0g"
   condition:
      1 of ($sa*) and 1 of ($sb*)
}

rule SUSP_JDNIExploit_Indicators_Dec21 {
   meta:
      description = "Detects indicators of JDNI usage in log files and other payloads"
      author = "Florian Roth"
      reference = "https://github.com/flypig5211/JNDIExploit"
      date = "2021-12-10"
      modified = "2021-12-12"
      score = 70
   strings:
      $xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis):∖/∖/[a-zA-Z0-9∖.]{7,80}:[0-9]{2,5}∖/(Basic∖/Command∖/Base64|Basic∖/ReverseShell|Basic∖/TomcatMemshell|Basic∖/JBossMemshell|Basic∖/WebsphereMemshell|Basic∖/SpringMemshell|Basic∖/Command|Deserialization∖/CommonsCollectionsK|Deserialization∖/CommonsBeanutils|Deserialization∖/Jre8u20∖/TomcatMemshell|Deserialization∖/CVE_2020_2555∖/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)∖//
   condition:
      filesize < 100MB and $xr1
}

rule SUSP_EXPL_OBFUSC_Dec21_1{
   meta:
      description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/testanull/status/1469549425521348609"
      date = "2021-12-11"
      score = 60
   strings:
      /* ${lower:X} - single character match */
      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
      /* ${upper:X} - single character match */
      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
      /* URL encoded lower - obfuscation in URL */
      $ = "$%7blower:"
      $ = "$%7bupper:"
      $ = "%24%7bjndi:"
      $ = "$%7Blower:"
      $ = "$%7Bupper:"
      $ = "%24%7Bjndi:"
   condition:
      1 of them
}

Download Log4Shell YARA Rules

Download All YARA rules for Log4Shell exploit

Log4Shell Snort Rules

Snort and Suricata prevention rules to mitigate Log4Shell threat.

Log4Shell Detection in Log Files

If you want to investigate exploitation attempts in log try these commands. This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders.

sudo egrep -i -r '∖$∖{jndi:(ldap[s]?|rmi|dns):/[^∖n]+' /var/log

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log -name ∖*.gz -print0 | xargs -0 zgrep -E -i '∖$∖{jndi:(ldap[s]?|rmi|dns):/[^∖n]+'

To find occurences of breach in a Windows based system, run this command in PowerShell

gci 'C:∖' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

        Click to Load Comments
    

		PowerShell Get Hash Of All Files In Directory Code Snippet to traverse a folder and calculate hash of each file. Se...
		MD5 checksum Windows 10 MD5 (Message Digest 5) is the most widely used hashing algorithm. It i...
		Windows WiFi Password Show CMD The netsh command is widely used for network configuration, as it pro...
		HermeticWiper Malware HermeticWiper is data and MBR Wiper that is being targeting Ukraine ...
		cURL Timeout Example cURL Timeout controls for how many seconds or milliseconds a connecti...
		cURL Get File Size Without Download This code snippet will get the size of the remote file without actual...
		cURL Basic Auth Example The HTTP 401 Unauthorized response status code indicates that the cli...
		cURL POST Request There are many HTTP methods available to clients to access data and r...

Log4Shell YARA IOC

Log4Shell YARA Rules

Download Log4Shell YARA Rules

Log4Shell Snort Rules

Log4Shell Detection in Log Files

Subscribe YouTube

Related Posts