Log4j RCE CVE-2021-44228 Generic

 1title: Log4j RCE CVE-2021-44228 Generic
 2id: 5ea8faa8-db8b-45be-89b0-151b84c82702
 3status: test
 4description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
 5references:
 6    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
 7    - https://news.ycombinator.com/item?id=29504755
 8    - https://github.com/tangxiaofeng7/apache-log4j-poc
 9    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
10    - https://github.com/YfryTchsGD/Log4jAttackSurface
11    - https://twitter.com/shutingrz/status/1469255861394866177?s=21
12author: Florian Roth (Nextron Systems)
13date: 2021-12-10
14modified: 2022-02-06
15tags:
16    - attack.initial-access
17    - attack.t1190
18    - detection.emerging-threats
19logsource:
20    category: webserver
21detection:
22    keywords:
23        - '${jndi:ldap:/'
24        - '${jndi:rmi:/'
25        - '${jndi:ldaps:/'
26        - '${jndi:dns:/'
27        - '/$%7bjndi:'
28        - '%24%7bjndi:'
29        - '$%7Bjndi:'
30        - '%2524%257Bjndi'
31        - '%2F%252524%25257Bjndi%3A'
32        - '${jndi:${lower:'
33        - '${::-j}${'
34        - '${jndi:nis'
35        - '${jndi:nds'
36        - '${jndi:corba'
37        - '${jndi:iiop'
38        - 'Reference Class Name: foo'
39        - '${${env:BARFOO:-j}'
40        - '${::-l}${::-d}${::-a}${::-p}'
41        - '${base64:JHtqbmRp'
42        - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
43        - '${${lower:j}ndi:'
44        - '${${upper:j}ndi:'
45        - '${${::-j}${::-n}${::-d}${::-i}:'
46    filter:
47        - 'w.nessus.org/nessus'
48        - '/nessus}'
49    condition: keywords and not filter
50falsepositives:
51    - Vulnerability scanning
52level: high

References

• Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaTrace

  

  Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how to fix Log4Shell, why it's bad, and what a working exploit requires in this post.

  
  Read More

• Log4j RCE Found | Hacker News

  

  To folks wondering what the issue is about, I'll give a short summary that I myself needed. Typically a logging library has one job to do: swallow the string as if it's some black box and spit it e...

  
  Read More

• GitHub - tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce: Apache Log4j 远程代码执行

  

  Apache Log4j 远程代码执行. Contribute to tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce development by creating an account on GitHub.

  
  Read More

• Log4j RCE CVE-2021-44228 Exploitation Detection

  

  Log4j RCE CVE-2021-44228 Exploitation Detection. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• GitHub - YfryTchsGD/Log4jAttackSurface

  

  Contribute to YfryTchsGD/Log4jAttackSurface development by creating an account on GitHub.

  
  Read More

• x.com

  
  Read More

Related rules

• ADSelfService Exploitation
• Apache Spark Shell Command Injection - Weblogs
• Arcadyan Router Exploitations
• Atlassian Bitbucket Command Injection Via Archive API
• CVE-2010-5278 Exploitation Attempt