226 lines
8 KiB
Text
226 lines
8 KiB
Text
|
|
rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 {
|
|
meta:
|
|
description = "Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8"
|
|
date = "2021-12-12"
|
|
score = 60
|
|
id = "474afa96-1758-587e-8cab-41c5205e245e"
|
|
strings:
|
|
$xr1 = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/
|
|
condition:
|
|
1 of them
|
|
}
|
|
|
|
rule EXPL_JNDI_Exploit_Patterns_Dec21_1 {
|
|
meta:
|
|
description = "Detects JNDI Exploit Kit patterns in files"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/pimps/JNDI-Exploit-Kit"
|
|
date = "2021-12-12"
|
|
score = 60
|
|
id = "a9127dd2-b818-5ca8-877a-3c47b1e92606"
|
|
strings:
|
|
$x01 = "/Basic/Command/Base64/"
|
|
$x02 = "/Basic/ReverseShell/"
|
|
$x03 = "/Basic/TomcatMemshell"
|
|
$x04 = "/Basic/JettyMemshell"
|
|
$x05 = "/Basic/WeblogicMemshell"
|
|
$x06 = "/Basic/JBossMemshell"
|
|
$x07 = "/Basic/WebsphereMemshell"
|
|
$x08 = "/Basic/SpringMemshell"
|
|
$x09 = "/Deserialization/URLDNS/"
|
|
$x10 = "/Deserialization/CommonsCollections1/Dnslog/"
|
|
$x11 = "/Deserialization/CommonsCollections2/Command/Base64/"
|
|
$x12 = "/Deserialization/CommonsBeanutils1/ReverseShell/"
|
|
$x13 = "/Deserialization/Jre8u20/TomcatMemshell"
|
|
$x14 = "/TomcatBypass/Dnslog/"
|
|
$x15 = "/TomcatBypass/Command/"
|
|
$x16 = "/TomcatBypass/ReverseShell/"
|
|
$x17 = "/TomcatBypass/TomcatMemshell"
|
|
$x18 = "/TomcatBypass/SpringMemshell"
|
|
$x19 = "/GroovyBypass/Command/"
|
|
$x20 = "/WebsphereBypass/Upload/"
|
|
|
|
$fp1 = "<html"
|
|
condition:
|
|
1 of ($x*) and not 1 of ($fp*)
|
|
}
|
|
|
|
rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
|
|
meta:
|
|
description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
|
|
date = "2021-12-12"
|
|
score = 60
|
|
id = "82cf337e-4ea1-559b-a7b8-512a07adf06f"
|
|
strings:
|
|
$xa1 = "header with value of BadAttributeValueException: "
|
|
|
|
$sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
|
|
$sa2 = "Error looking up JNDI resource"
|
|
condition:
|
|
$xa1 or all of ($sa*)
|
|
}
|
|
|
|
rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft : FILE {
|
|
meta:
|
|
description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
|
|
date = "2021-12-10"
|
|
modified = "2021-12-20"
|
|
score = 60
|
|
id = "87e536a5-cc11-528a-b100-4fa3b2b7bc0c"
|
|
strings:
|
|
$x01 = "${jndi:ldap:/"
|
|
$x02 = "${jndi:rmi:/"
|
|
$x03 = "${jndi:ldaps:/"
|
|
$x04 = "${jndi:dns:/"
|
|
$x05 = "${jndi:iiop:/"
|
|
$x06 = "${jndi:http:/"
|
|
$x07 = "${jndi:nis:/"
|
|
$x08 = "${jndi:nds:/"
|
|
$x09 = "${jndi:corba:/"
|
|
|
|
$fp1 = "<html"
|
|
$fp2 = "/nessus}"
|
|
condition:
|
|
1 of ($x*) and not 1 of ($fp*)
|
|
}
|
|
|
|
rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
|
|
meta:
|
|
description = "Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
|
|
date = "2021-12-12"
|
|
modified = "2021-12-13"
|
|
score = 60
|
|
id = "d7c4092a-6ffc-5a89-b73a-f7f0ac984cbd"
|
|
strings:
|
|
$x1 = "$%7Bjndi:"
|
|
$x2 = "%2524%257Bjndi"
|
|
$x3 = "%2F%252524%25257Bjndi%3A"
|
|
$x4 = "${jndi:${lower:"
|
|
$x5 = "${::-j}${"
|
|
$x6 = "${${env:BARFOO:-j}"
|
|
$x7 = "${::-l}${::-d}${::-a}${::-p}"
|
|
$x8 = "${base64:JHtqbmRp"
|
|
|
|
$fp1 = "<html"
|
|
condition:
|
|
1 of ($x*) and not 1 of ($fp*)
|
|
}
|
|
|
|
rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard : FILE {
|
|
meta:
|
|
description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
|
|
author = "Florian Roth"
|
|
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
|
|
date = "2021-12-10"
|
|
modified = "2023-10-23"
|
|
score = 75
|
|
id = "5297c42d-7138-507d-a3eb-153afe522816"
|
|
strings:
|
|
$x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
|
|
$x2 = "Reference Class Name: foo"
|
|
$fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
|
|
|
|
$fpg2 = "<html"
|
|
$fpg3 = "<HTML"
|
|
|
|
$fp1 = "/QUALYSTEST" ascii
|
|
$fp2 = "w.nessus.org/nessus"
|
|
$fp3 = "/nessus}"
|
|
condition:
|
|
1 of ($x*) and not 1 of ($fp*)
|
|
}
|
|
|
|
rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
|
|
meta:
|
|
description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/Reelix/status/1469327487243071493"
|
|
date = "2021-12-10"
|
|
modified = "2021-12-13"
|
|
score = 70
|
|
id = "09abc4f0-ace7-5f53-b1d3-5f5c6bf3bdba"
|
|
strings:
|
|
/* curl -s */
|
|
$sa1 = "Y3VybCAtcy"
|
|
$sa2 = "N1cmwgLXMg"
|
|
$sa3 = "jdXJsIC1zI"
|
|
/* |wget -q -O- */
|
|
$sb1 = "fHdnZXQgLXEgLU8tI"
|
|
$sb2 = "x3Z2V0IC1xIC1PLS"
|
|
$sb3 = "8d2dldCAtcSAtTy0g"
|
|
|
|
$fp1 = "<html"
|
|
condition:
|
|
1 of ($sa*) and 1 of ($sb*)
|
|
and not 1 of ($fp*)
|
|
}
|
|
|
|
rule SUSP_JDNIExploit_Indicators_Dec21 {
|
|
meta:
|
|
description = "Detects indicators of JDNI usage in log files and other payloads"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://github.com/flypig5211/JNDIExploit"
|
|
date = "2021-12-10"
|
|
modified = "2021-12-12"
|
|
score = 70
|
|
id = "2df8b8f3-8d8d-5982-8c85-692b7d91ebb2"
|
|
strings:
|
|
$xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\//
|
|
condition:
|
|
filesize < 100MB and $xr1
|
|
}
|
|
|
|
rule SUSP_EXPL_OBFUSC_Dec21_1{
|
|
meta:
|
|
description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/testanull/status/1469549425521348609"
|
|
date = "2021-12-11"
|
|
modified = "2022-11-08"
|
|
score = 60
|
|
id = "b8f56711-7922-54b9-9ce2-6ba05d64c80d"
|
|
strings:
|
|
/* ${lower:X} - single character match */
|
|
$f1 = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
|
|
/* ${upper:X} - single character match */
|
|
$f2 = { 24 7B 75 70 70 65 72 3A ?? 7D }
|
|
/* URL encoded lower - obfuscation in URL */
|
|
$x3 = "$%7blower:"
|
|
$x4 = "$%7bupper:"
|
|
$x5 = "%24%7bjndi:"
|
|
$x6 = "$%7Blower:"
|
|
$x7 = "$%7Bupper:"
|
|
$x8 = "%24%7Bjndi:"
|
|
|
|
$fp1 = "<html"
|
|
condition:
|
|
(
|
|
1 of ($x*) or
|
|
filesize < 200KB and 1 of ($f*)
|
|
)
|
|
and not 1 of ($fp*)
|
|
}
|
|
|
|
rule SUSP_JDNIExploit_Error_Indicators_Dec21_1 {
|
|
meta:
|
|
description = "Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/marcioalm/status/1470361495405875200?s=20"
|
|
date = "2021-12-10"
|
|
modified = "2023-06-23"
|
|
score = 70
|
|
id = "68bcf043-58b4-54a9-b024-64871b5d535f"
|
|
strings:
|
|
$x1 = "FATAL log4j - Message: BadAttributeValueException: "
|
|
condition:
|
|
1 of them
|
|
}
|