You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
| 139.60.161.62 | |
| {"x64": {"md5": "76ea371a846882c14e1203da09dc6e11", "sha1": "208e53753c6435dcb02001d8a8c8f62fbb4ce79c", "time": 1618902720340.7, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/", "Port": 443, "Beacon Type": "8 (HTTPS)", "Method 2": "GET", "Jitter": 20, "Header 2": "", "DNS Idle": "8.8.8.8", "HTTP Method Path 2": "\/OWA\/", "Max DNS": 235, "Header 1": "", "Method 1": "GET", "User Agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko)", "Polling": 30000, "Pipe Name": ""}, "sha256": "2f256a1b4af0453ae3b7468528e9a21bd767d1b4c8fd86f655e29b5f177215bb"}, "x86": {"md5": "8082ddcf750b84602c0ad0eeff6625c3", "sha1": "f9b4bb659d6c348d1fe8f6c5155831d4b91b8bce", "time": 1618902717665.6, "config": {"DNS Sleep": 0, "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "C2 Server": "a.officecalendar.biz,\/owa\/" |
The MITRE ATT&CK JSON file is a flat JSON structure which is difficult to parse. To parse this JSON file, there are several different approaches but the type key is the, well, key!
The types within this JSON are the following (as well as the common wording used for this type):
| # ################################################################################ | |
| # IMPORTANT NOTE | |
| # The most recent version of this POC rule can now be found in the main repository | |
| # https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
| # ################################################################################ | |
| # _____ __ __ ___ __ | |
| # / ___/__ ___/ / / |/ /__ ___/ /__ | |
| # / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| # \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
| # / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
| /* | |
| WARNING: | |
| the newest version of this rule is now hosted here: | |
| https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
| */ | |
| /* | |
| _____ __ __ ___ __ |
| Replace 'X' with the domain name of your choice | |
| # Back link | |
| link:X -site:X | |
| # Sub domain | |
| site:X -site:www.X | |
| # Url | |
| inurl:X -site:X |
The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.
I welcome contributions and comments on the information contained. Please see the How to Contribute section for information on contributing your own knowledge.