NeodymiumPhish NeodymiumPhish

## osquery_yara_rule.sql
SELECT *
FROM yara
WHERE
(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%')
  OR path LIKE '/var/log/%%' )
AND (
rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION
	SELECT *
	FROM yara
	WHERE
	(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%')
	OR path LIKE '/var/log/%%' )
	AND (
	rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
	meta:
	description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
	author = "Florian Roth"
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION