Florian Roth
52 lines
1.6 KiB
YAML
52 lines
1.6 KiB
YAML
title: Log4j RCE CVE-2021-44228 Generic
|
|
id: 5ea8faa8-db8b-45be-89b0-151b84c82702
|
|
status: experimental
|
|
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
|
|
author: Florian Roth
|
|
date: 2021/12/10
|
|
modified: 2022/02/06
|
|
references:
|
|
- https://www.lunasec.io/docs/blog/log4j-zero-day/
|
|
- https://news.ycombinator.com/item?id=29504755
|
|
- https://github.com/tangxiaofeng7/apache-log4j-poc
|
|
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
|
|
- https://github.com/YfryTchsGD/Log4jAttackSurface
|
|
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
keywords:
|
|
- '${jndi:ldap:/'
|
|
- '${jndi:rmi:/'
|
|
- '${jndi:ldaps:/'
|
|
- '${jndi:dns:/'
|
|
- '/$%7bjndi:'
|
|
- '%24%7bjndi:'
|
|
- '$%7Bjndi:'
|
|
- '%2524%257Bjndi'
|
|
- '%2F%252524%25257Bjndi%3A'
|
|
- '${jndi:${lower:'
|
|
- '${::-j}${'
|
|
- '${jndi:nis'
|
|
- '${jndi:nds'
|
|
- '${jndi:corba'
|
|
- '${jndi:iiop'
|
|
- 'Reference Class Name: foo'
|
|
- '${${env:BARFOO:-j}'
|
|
- '${::-l}${::-d}${::-a}${::-p}'
|
|
- '${base64:JHtqbmRp'
|
|
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
|
|
- '${${lower:j}ndi:'
|
|
- '${${upper:j}ndi:'
|
|
- '${${::-j}${::-n}${::-d}${::-i}:'
|
|
filter:
|
|
- 'w.nessus.org/nessus'
|
|
- '/nessus}'
|
|
condition: keywords and not filter
|
|
falsepositives:
|
|
- Vulnerability scanning
|
|
level: high
|