Splunk Enterprise

log4j Detection Search

genesiusj
Builder

Hello,

As we know, trying to create an all-encompassing search for the log4j is a very difficult task because of the infinite number of possibilities for entering the letters jndi and any of the possible protocols; ex. ldap; dns; https; etc.

We came up with this SPL, which has been very successful. However, there is a good possibility of some false positives. We haven't found too many though.

 

 

index=* AND "\$"
    ```All sites discussing log4j examples containing at least one dollar sign. Therefore, we are only reporting those types of events.```
    ```No evidence (thus far) has been shown that these logs would contain log4j-type strings. Therefore, these logs are excluded.```
AND NOT source IN (/var/adm/messages, /var/adm/sulog, /var/adm/syslog*, /var/log/authlog, /var/log/messages, /var/log/secure, /var/log/syslog, /var/log/sudo.log, bandwidth, cpu, interfaces, iostat, netstat, openPorts, protocol, ps, top, vmstat, nfsiostat)
AND NOT sourcetype=syslog
    ```These 12 strings have been found in events with different variations of the log4j string.```
AND ((Basic AND Base64) OR "/securityscan" OR "/callback" OR exploit OR "/nessus" OR (interact OR interactsh) OR kryptoslogic OR "service.exfil.site" OR secresponstaskfrce OR billdemirkapi OR mburpcollab OR leakix)
    ```Flags/Indicators to match the different strings above.```
| eval base64=if(match(_raw,"Base64"),"X","")
| eval dnsscan=if(match(_raw,"/securityscan"),"X","")
| eval exploit=if(match(_raw,"Exploit"),"X","")
| eval nessus=if(match(_raw,"/nessus"),"X","")
| eval interact=if(match(_raw,"interact") or match(_raw,"interactsh"),"X","")
| eval kryptos=if(match(_raw,"kryptoslogic"),"X","")
| eval exfilsite=if(match(_raw,"service.exfil.site"),"X","")
| eval secrettask=if(match(_raw,"secresponstaskfrce"),"X","")
| eval billdemirk=if(match(_raw,"billdemirkapi"),"X","")
| eval burpcollab=if(match(_raw,"mburpcollab"),"X","")
| eval leakix=if(match(_raw,"leakix"),"X","")
    ```These are the known protocols where log4j attacks have been seen. These matches look for the first letter used for each protocol (j), followed by anything, then the next letter (n), etc. This "hopefully" will catch any/all possible variations used by attackers. Note: A future search is being designed to find where URL Encoding repalces any/all of the letters within each JNDI protocol string.```
| where match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p")
     or match(_raw,"j.*n.*d.*i.*\:.*d.*n.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*r.*m.*i")
     or match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*n.*i.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*i.*i.*o.*p")
     or match(_raw,"j.*n.*d.*i.*\:.*c.*o.*r.*b.*a")
     or match(_raw,"j.*n.*d.*i.*\:.*n.*d.*s")
     or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p")
     or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p.*s")
     or match(_raw,"(\:)*-")
     or match(_raw,"lower\:")
     or match(_raw,"upper\:")
     or match(_raw,"date\:")
     or match(_raw,"env\:")
     or match(_raw,"jndi")
| sort 0 -_time
| table _time, index, host, source, status, base64, dnsscan, exploit, nessus, interact, kryptos, exfilsite, secrettask, billdemirk, burpcollab, leakix, _raw, http_user_agent,

 

We have found events also substituting URL Encoded characters for jndi........

Please let me, and the rest of our Splunk community, know if there are any issues with this search. Also, any new text signatures discovered other than those in Step 2. And any other discoveries.

Together, let's find, stop this vulnerability. 

Thanks and God bless,
Genesius

 

Labels (1)
Tags (2)
0 Karma

genesiusj
Builder

Hello,

I have had difficulty posting this for the past two days.  Finally, the Answers site told me why. There are screenshots below of some of the regex with explanations. Appears that Splunk was assuming my code was an attack. Hmmm!
This reply describes the steps taken in the SPL in the original post.

Step 1
Due to log4j’s use of regular expressions, it is near impossible to write a set of search strings, let alone a single search string, to detect all of these variations. However, we have designed a search that looks for the presence of a $ in ingested logs, as, in our analysis, at least one unencrypted dollar sign must appear in each log event where the JNDI is being called/used. After the first $ an attacker may attempt to obfuscate one or more of the several protocols used by JNDI to grant lookups.

Screenshot - 12_30_2021 , 11_32_29 AM.png

Step 2
We filtered out events from these logs because it has determined these logs do not capture events pertaining to log4j activity. As a separate search on just these logs, no log4j patterns were discovered. 

/var/adm/messages
/var/log/sudo.log
protocol
/var/adm/sulog
bandwidth
ps/var/adm/syslog*
cpu
top
/var/log/authlog
interfaces
vmstat
/var/log/messages
iostat
nfsiostat
/var/log/secure
netstat
/var/log/syslog
openPorts

Step 3
Using the same logic and analysis from Step 2 we removed events for sourcetype=syslog.

Step 4
Next, we kept events containing only these 12 identified “text signatures” from the Team’s analysis.

Basic AND Base64
nessus
secresponstaskfrce
securityscan
interact OR interactsh
billdemirkapi
callback
kryptoslogic
mburpcollab
exploit
service.exfil.site
leakix

Step 5
This would be any proprietary or other business or industry-specific based search commands.

Step 6
The current final filtering step searches raw events that use one or more of the protocol signatures shared on the Internet. Splunk performs a match against each JNDI protocol one letter at-a-time with any number of other characters in between each protocol letter.

Screenshot - 12_30_2021 , 11_34_54 AM.png

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...