| # C2 FQDNs | |
| first seen fqdn | |
| 2019-12-11 23:37:10 updatemanagir.us | |
| 2019-12-20 17:51:05 cmdupdatewin.com | |
| 2019-12-26 18:03:27 scrservallinst.info | |
| 2020-01-10 00:33:57 winsystemupdate.com | |
| 2020-01-11 23:16:41 jomamba.best | |
| 2020-01-13 05:13:43 updatewinlsass.com | |
| 2020-01-16 11:38:53 winsysteminfo.com | |
| 2020-01-20 05:58:17 livecheckpointsrs.com |
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
π£ Jabber | $. |
Variable declaration (UTF-16) |
TVq |
πΊ Television | MZ |
MZ header |
SUVY |
π SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
π£ Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
π£ Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
πͺ "Pah!" | <. |
Often used by Emotet (UTF-16) |