Log4j RCE CVE-2021-44228 Generic

calendar Jun 20, 2023 · attack.initial_access attack.t1190 detection.emerging_threats  ·
Share on: linkedin copy

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

Sigma rule (View on GitHub)

 1title: Log4j RCE CVE-2021-44228 Generic
 2id: 5ea8faa8-db8b-45be-89b0-151b84c82702
 3status: test
 4description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
 5references:
 6    - https://www.lunasec.io/docs/blog/log4j-zero-day/
 7    - https://news.ycombinator.com/item?id=29504755
 8    - https://github.com/tangxiaofeng7/apache-log4j-poc
 9    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
10    - https://github.com/YfryTchsGD/Log4jAttackSurface
11    - https://twitter.com/shutingrz/status/1469255861394866177?s=21
12author: Florian Roth (Nextron Systems)
13date: 2021/12/10
14modified: 2022/02/06
15tags:
16    - attack.initial_access
17    - attack.t1190
18    - detection.emerging_threats
19logsource:
20    category: webserver
21detection:
22    keywords:
23        - '${jndi:ldap:/'
24        - '${jndi:rmi:/'
25        - '${jndi:ldaps:/'
26        - '${jndi:dns:/'
27        - '/$%7bjndi:'
28        - '%24%7bjndi:'
29        - '$%7Bjndi:'
30        - '%2524%257Bjndi'
31        - '%2F%252524%25257Bjndi%3A'
32        - '${jndi:${lower:'
33        - '${::-j}${'
34        - '${jndi:nis'
35        - '${jndi:nds'
36        - '${jndi:corba'
37        - '${jndi:iiop'
38        - 'Reference Class Name: foo'
39        - '${${env:BARFOO:-j}'
40        - '${::-l}${::-d}${::-a}${::-p}'
41        - '${base64:JHtqbmRp'
42        - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
43        - '${${lower:j}ndi:'
44        - '${${upper:j}ndi:'
45        - '${${::-j}${::-n}${::-d}${::-i}:'
46    filter:
47        - 'w.nessus.org/nessus'
48        - '/nessus}'
49    condition: keywords and not filter
50falsepositives:
51    - Vulnerability scanning
52level: high

References

Related rules

to-top