Log4j RCE CVE-2021-44228 in Fields

calendar Nov 2, 2023 · attack.initial_access attack.t1190 cve.2021.44228 detection.emerging_threats  ·
Share on: linkedin copy

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

Sigma rule (View on GitHub)

  1title: Log4j RCE CVE-2021-44228 in Fields
  2id: 9be472ed-893c-4ec0-94da-312d2765f654
  3status: test
  4description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
  5references:
  6    - https://www.lunasec.io/docs/blog/log4j-zero-day/
  7    - https://news.ycombinator.com/item?id=29504755
  8    - https://github.com/tangxiaofeng7/apache-log4j-poc
  9    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
 10    - https://github.com/YfryTchsGD/Log4jAttackSurface
 11    - https://twitter.com/shutingrz/status/1469255861394866177?s=21
 12author: Florian Roth (Nextron Systems)
 13date: 2021/12/10
 14modified: 2023/01/02
 15tags:
 16    - attack.initial_access
 17    - attack.t1190
 18    - cve.2021.44228
 19    - detection.emerging_threats
 20logsource:
 21    category: webserver
 22detection:
 23    selection1:
 24        cs-user-agent|contains:
 25            - '${jndi:ldap:/'
 26            - '${jndi:rmi:/'
 27            - '${jndi:ldaps:/'
 28            - '${jndi:dns:/'
 29            - '/$%7bjndi:'
 30            - '%24%7bjndi:'
 31            - '$%7Bjndi:'
 32            - '%2524%257Bjndi'
 33            - '%2F%252524%25257Bjndi%3A'
 34            - '${jndi:${lower:'
 35            - '${::-j}${'
 36            - '${jndi:nis'
 37            - '${jndi:nds'
 38            - '${jndi:corba'
 39            - '${jndi:iiop'
 40            - 'Reference Class Name: foo'
 41            - '${${env:BARFOO:-j}'
 42            - '${::-l}${::-d}${::-a}${::-p}'
 43            - '${base64:JHtqbmRp'
 44            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
 45            - '${${lower:j}ndi:'
 46            - '${${upper:j}ndi:'
 47            - '${${::-j}${::-n}${::-d}${::-i}:'
 48    # selection2:
 49        # user-agent|contains:
 50            # - '${jndi:ldap:/'
 51            # - '${jndi:rmi:/'
 52            # - '${jndi:ldaps:/'
 53            # - '${jndi:dns:/'
 54            # - '/$%7bjndi:'
 55            # - '%24%7bjndi:'
 56            # - '$%7Bjndi:'
 57            # - '%2524%257Bjndi'
 58            # - '%2F%252524%25257Bjndi%3A'
 59            # - '${jndi:${lower:'
 60            # - '${::-j}${'
 61            # - '${jndi:nis'
 62            # - '${jndi:nds'
 63            # - '${jndi:corba'
 64            # - '${jndi:iiop'
 65            # - 'Reference Class Name: foo'
 66            # - '${${env:BARFOO:-j}'
 67            # - '${::-l}${::-d}${::-a}${::-p}'
 68            # - '${base64:JHtqbmRp'
 69            # - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
 70            # - '${${lower:j}ndi:'
 71            # - '${${upper:j}ndi:'
 72            # - '${${::-j}${::-n}${::-d}${::-i}:'
 73    selection3:
 74        cs-uri-query|contains:
 75            - '${jndi:ldap:/'
 76            - '${jndi:rmi:/'
 77            - '${jndi:ldaps:/'
 78            - '${jndi:dns:/'
 79            - '/$%7bjndi:'
 80            - '%24%7bjndi:'
 81            - '$%7Bjndi:'
 82            - '%2524%257Bjndi'
 83            - '%2F%252524%25257Bjndi%3A'
 84            - '${jndi:${lower:'
 85            - '${::-j}${'
 86            - '${jndi:nis'
 87            - '${jndi:nds'
 88            - '${jndi:corba'
 89            - '${jndi:iiop'
 90            - 'Reference Class Name: foo'
 91            - '${${env:BARFOO:-j}'
 92            - '${::-l}${::-d}${::-a}${::-p}'
 93            - '${base64:JHtqbmRp'
 94            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
 95            - '${${lower:j}ndi:'
 96            - '${${upper:j}ndi:'
 97            - '${${::-j}${::-n}${::-d}${::-i}:'
 98    selection4:
 99        cs-referer|contains:
100            - '${jndi:ldap:/'
101            - '${jndi:rmi:/'
102            - '${jndi:ldaps:/'
103            - '${jndi:dns:/'
104            - '/$%7bjndi:'
105            - '%24%7bjndi:'
106            - '$%7Bjndi:'
107            - '%2524%257Bjndi'
108            - '%2F%252524%25257Bjndi%3A'
109            - '${jndi:${lower:'
110            - '${::-j}${'
111            - '${jndi:nis'
112            - '${jndi:nds'
113            - '${jndi:corba'
114            - '${jndi:iiop'
115            - 'Reference Class Name: foo'
116            - '${${env:BARFOO:-j}'
117            - '${::-l}${::-d}${::-a}${::-p}'
118            - '${base64:JHtqbmRp'
119            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
120            - '${${lower:j}ndi:'
121            - '${${upper:j}ndi:'
122            - '${${::-j}${::-n}${::-d}${::-i}:'
123    condition: 1 of selection*
124falsepositives:
125    - Vulnerability scanning
126level: high

References

Related rules

to-top