Created
December 13, 2021 03:11
-
-
Save ureddy-uptycs/4fdd68e859f022e65e7b7779e247f0d0 to your computer and use it in GitHub Desktop.
A SQL query that can be run as a realtime query in osquery to detect if java processes running on a host have opened log files that contain the yara signature specified in the query. The yara rules are used to detect log4j vulnerability CVE-2021-44228
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SELECT * | |
FROM yara | |
WHERE | |
(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%') | |
OR path LIKE '/var/log/%%' ) | |
AND ( | |
rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft { | |
meta: | |
description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228" | |
author = "Florian Roth" | |
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20" | |
date = "2021-12-10" | |
score = 60 | |
strings: | |
$x1 = "${jndi:ldap:/" | |
$x2 = "${jndi:rmi:/" | |
$x3 = "${jndi:ldaps:/" | |
$x4 = "${jndi:dns:/" | |
condition: | |
1 of them | |
}' OR | |
rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard { | |
meta: | |
description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228" | |
author = "Florian Roth" | |
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20" | |
date = "2021-12-10" | |
score = 80 | |
strings: | |
$x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/ | |
$fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/ | |
condition: | |
$x1 and not 1 of ($fp*) | |
}' OR | |
rule = 'rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 { | |
meta: | |
description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228" | |
author = "Florian Roth" | |
reference = "https://twitter.com/Reelix/status/1469327487243071493" | |
date = "2021-12-10" | |
score = 70 | |
strings: | |
/* curl -s */ | |
$sa1 = "Y3VybCAtcy" | |
$sa2 = "N1cmwgLXMg" | |
$sa3 = "jdXJsIC1zI" | |
/* |wget -q -O- */ | |
$sb1 = "fHdnZXQgLXEgLU8tI" | |
$sb2 = "x3Z2V0IC1xIC1PLS" | |
$sb3 = "8d2dldCAtcSAtTy0g" | |
condition: | |
1 of ($sa*) and 1 of ($sb*) | |
}') | |
AND count > 0 | |
AND path NOT LIKE '%osqueryd.worker.log' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment