Skip to content

Instantly share code, notes, and snippets.

@mariabernis

mariabernis/log4j_exploitation_detection.md

Last active January 11, 2022 14:08
Show Gist options
  • Save mariabernis/07e5cb4e7e6cf7e69765a8257779c05a to your computer and use it in GitHub Desktop.
Save mariabernis/07e5cb4e7e6cf7e69765a8257779c05a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
log4j_exploitation_detection.md

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228 in a MacOS using ZSH.

Based on https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders. It overrides your user locale to make sure the command works. More about it here

sudo find /var/log/ -type f -exec sh -c "cat {} | LC_ALL=C sed -e 's/\${lower://'g | LC_ALL=C tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders, using gzcat (instead of zcat)

sudo find /var/log/ -name '*.gz' -type f -exec sh -c "gzcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;

If any of these return some results, your laptop may have been attacked. Jump directly to mitigation strategies (or contact someone that can help you).

Log4Shell-Rex

A massive regex to cover even the most obfuscated variants: https://github.com/back2root/log4shell-rex. If the previous commands don't return any matches, you may want to try out this regex, just in case.

(?:\$|%(?:25)*24|\\(?:0024|0{0,2}44))(?:{|%(?:25)*7[Bb]|\\(?:007[Bb]|0{0,2}173)).{0,30}?((?:[Jj]|%(?:25)*[46][Aa]|\\(?:00[46][Aa]|0{0,2}1[15]2)).{0,30}?(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı).{0,30}?(?::|%(?:25)*3[Aa]|\\(?:003[Aa]|0{0,2}72)).{0,30}?((?:[Ll]|%(?:25)*[46][Cc]|\\(?:00[46][Cc]|0{0,2}1[15]4)).{0,30}?(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Aa]|%(?:25)*[46]1|\\(?:00[46]1|0{0,2}1[04]1)).{0,30}?(?:[Pp]|%(?:25)*[57]0|\\(?:00[57]0|0{0,2}1[26]0))(?:.{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3)))?|(?:[Rr]|%(?:25)*[57]2|\\(?:00[57]2|0{0,2}1[26]2)).{0,30}?(?:[Mm]|%(?:25)*[46][Dd]|\\(?:00[46][Dd]|0{0,2}1[15]5)).{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı)|(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3))|(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3))|(?:.{0,30}?(?:[Ii]|%(?:25)*[46]9|\\(?:00[46]9|0{0,2}1[15]1)|ı)){2}.{0,30}?(?:[Oo]|%(?:25)*[46][Ff]|\\(?:00[46][Ff]|0{0,2}1[15]7)).{0,30}?(?:[Pp]|%(?:25)*[57]0|\\(?:00[57]0|0{0,2}1[26]0))|(?:[Cc]|%(?:25)*[46]3|\\(?:00[46]3|0{0,2}1[04]3)).{0,30}?(?:[Oo]|%(?:25)*[46][Ff]|\\(?:00[46][Ff]|0{0,2}1[15]7)).{0,30}?(?:[Rr]|%(?:25)*[57]2|\\(?:00[57]2|0{0,2}1[26]2)).{0,30}?(?:[Bb]|%(?:25)*[46]2|\\(?:00[46]2|0{0,2}1[04]2)).{0,30}?(?:[Aa]|%(?:25)*[46]1|\\(?:00[46]1|0{0,2}1[04]1))|(?:[Nn]|%(?:25)*[46][Ee]|\\(?:00[46][Ee]|0{0,2}1[15]6)).{0,30}?(?:[Dd]|%(?:25)*[46]4|\\(?:00[46]4|0{0,2}1[04]4)).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3))|(?:[Hh]|%(?:25)*[46]8|\\(?:00[46]8|0{0,2}1[15]0))(?:.{0,30}?(?:[Tt]|%(?:25)*[57]4|\\(?:00[57]4|0{0,2}1[26]4))){2}.{0,30}?(?:[Pp]|%(?:25)*[57]0|\\(?:00[57]0|0{0,2}1[26]0))(?:.{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3)))?).{0,30}?(?::|%(?:25)*3[Aa]|\\(?:003[Aa]|0{0,2}72)).{0,30}?(?:\/|%(?:25)*2[Ff]|\\(?:002[Ff]|0{0,2}57)|\${)|(?:[Bb]|%(?:25)*[46]2|\\(?:00[46]2|0{0,2}1[04]2)).{0,30}?(?:[Aa]|%(?:25)*[46]1|\\(?:00[46]1|0{0,2}1[04]1)).{0,30}?(?:[Ss]|%(?:25)*[57]3|\\(?:00[57]3|0{0,2}1[26]3)).{0,30}?(?:[Ee]|%(?:25)*[46]5|\\(?:00[46]5|0{0,2}1[04]5)).{2,60}?(?::|%(?:25)*3[Aa]|\\(?:003[Aa]|0{0,2}72))(JH[s-v]|[\x2b\x2f-9A-Za-z][CSiy]R7|[\x2b\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\x2b\x2f-9w-z]))

To use this regex on a MacOS, make sure you have installed the GNU grep implementation (instead of the default FreeBSD grep implementation that comes with MacOS). If you don't have it, you can install it with brew:

brew install grep

Installing it in that way will not change your grep, but will add a ggrep command (the gnu one) so you can use both and the behavior of your existing scripts will not be affected.

Now you can execute, for example:

sudo find /var/log -name "*.log" | xargs ggrep -P 'REGEX-FROM-HELL-GOES-HERE'

Log4Shell Detector (Python)

Python based scanner to detect the most obfuscated forms of the exploit codes. Again, if the first two commands don't shed any results, you can also try this one

https://github.com/Neo23x0/log4shell-detector

Find Log4j on MacOs

Lookup for log4j files in your Mac with these

ps aux | egrep '[l]og4j'
sudo find / -iname "log4j*"
lsof | grep log4j
grep -r --include *.[wj]ar "JndiLookup.class" / 2>&1 | grep matches

Most probably, for many of the resulted locations, you can just delete the log4j files because they are within a cache folder (/.../.gradle/caches/... for instance), trash folder or downloaded dependencies from a project (like /.../.m2/repository/log4j) that you can download again (making sure you upgrade to the latest version with a patch).

If you are not sure, ask for help.

'Operation not permitted' or 'No such file or directory' messages

If runnig some of these commands you get 'Operation not permitted' messages, it's probably fine.

MacOS from versions 10.11 onward come with System Integrity Protection feature that precisely protects some directories in order to prevent the OS from being compromised by malicious code.

So if you get 'Operation not permitted' outputs in one of these folders, that's actually good:

/System
/sbin
/bin
/usr (with the exception of /usr/local subdirectory)
/Applications for apps that are preinstalled with Mac OS (Terminal, Safari, etc)

If you get the message for other directories, it could be because the Terminal doesn't have full right access.

You can grant it under Security & Privacy settings, restart the terminal and run the script again. You can revert it after running it.

Detailed step by steps here.

Note: if you are using iTerm, granting access to Terminal should do it, because it uses macOS Terminal underneath.

You may also get 'No such file or directory' inside /System/Volumes/.

Don't worry about those, they're probably files listed as volumes but not really mounted.

YARA

If non of the previous steps show any issue, you are good to go :)

Yara is a malware detector that uses rules to find it. These rules are stored in .yar files like this one for the log4j vulnerability. Apart from Yara itself, other scanners use the Yara engine, and usually just putting the file with the rule in a specific folder the scanner will be able to detect that specific malware. In case you are using a scanner like that in your projects, you can use that file. Of course, in case you want to try, you can download the latest release of Yara from here

Credits

I'm merely compiling findings and tips provided by Jonathan Fernández (Thoughtworks Spain Infosec Lead).

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment