You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
| # IMPORTANT! | |
| # This gist has been transformed into a github repo | |
| # You can find the most recent version there: | |
| # https://github.com/Neo23x0/auditd | |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ |
| This is a list of the domains used in the contact email addresses found in the Fortinet dump file as published by Belsen Group and analysed by Kevin Beaumont on Mastodon : https://cyberplace.social/@GossiTheDog/113834848200229959 | |
| Some of these domains may just be the domains of free email services or services providers working for the actual victims. | |
| AE | |
| ---------------------------------------------------------------------- | |
| acsllc.ae | |
| aisdubai.ae | |
| alhamra.ae | |
| alrayan.ae | |
| alshirawi.ae |
| rule MAL_BACKORDER_LOADER_WIN_Go_Jan23 { | |
| meta: | |
| description = "Detects the BACKORDER loader compiled in GO which download and executes a second stage payload from a remote server." | |
| author = "Arda Buyukkaya (modified by Florian Roth)" | |
| date = "2025-01-23" | |
| reference = "EclecticIQ" | |
| score = 80 | |
| tags = "loader, golang, BACKORDER, malware, windows" | |
| hash = "70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8" | |
| strings: |
| # Basic Shell Escapes | |
| rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e 'bash -c "bash 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/bash -i' 127.0.0.1:/dev/null | |
| rsync -e 'dash -c "dash 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/dash -i' 127.0.0.1:/dev/null | |
| rsync -e 'zsh -c "zsh 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/zsh -i' 127.0.0.1:/dev/null | |
| rsync -e 'ksh -c "ksh 0<&2 1>&2"' 127.0.0.1:/dev/null | |
| rsync -e '/bin/ksh -i' 127.0.0.1:/dev/null |
This Gist has been transfered into a Github Repo. You'll find the most recent version here.
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.
| https://thedfirreport.com/ | |
| https://www.zerodayinitiative.com/blog/ | |
| https://codewhitesec.blogspot.com/ | |
| https://www.digitalshadows.com/blog-and-research/ | |
| https://blog.talosintelligence.com/ | |
| https://www.riskiq.com/blog/ | |
| https://www.sekoia.io/en/blog-sekoia-io/ | |
| https://www.nextron-systems.com/blog/ | |
| https://www.microsoft.com/security/blog/ | |
| https://blog.truesec.com/ |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <Annotations start="0" num="171" total="171"> | |
| <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag"> | |
| <Label name="_cse_turlh5vi4xc"/> | |
| <AdditionalData attribute="original_url" value="https://www.bussink.net/"/> | |
| </Annotation> | |
| <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI"> | |
| <Label name="_cse_turlh5vi4xc"/> | |
| <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/> | |
| </Annotation> |