shizonic · December 14, 2021 07:08 · Dec 12, 2021 · Dec 12, 2021 · Dec 12, 2021 · Dec 12, 2021
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,13 +7,13 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
+sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+'
+sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+'
 ```
 
 ## Grep / Zgrep - Obfuscated Variants
@@ -23,13 +23,13 @@ These commands cover even the obfuscated variants but lack the file name in a ma
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;
+sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -name '*.gz' -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
+sudo find /var/log/ -name '*.gz' -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
 ```
 
 ## Log4Shell Detector (Python)

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -29,7 +29,7 @@ sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;
+sudo find /var/log/ -name '*.gz' -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
 ```
 
 ## Log4Shell Detector (Python)

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -62,3 +62,4 @@ I got help and ideas from
 - [@matthias_kaiser](https://twitter.com/matthias_kaiser) 
 - [@daphiel](https://twitter.com/daphiel)
 - [@Reelix](https://twitter.com/Reelix)
+- @atom-b
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,13 +7,13 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo egrep -I -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
+sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'
+sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+'
 ```
 
 ## Grep / Zgrep - Obfuscated Variants
@@ -49,59 +49,7 @@ by [@CyberRaiju](https://twitter.com/CyberRaiju/status/1469505677580124160)
 
 ## YARA
 
-Preliminary YARA rules (work in progress)
-```yara
-rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
-   meta:
-      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
-      author = "Florian Roth"
-      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
-      date = "2021-12-10"
-      score = 60
-   strings:
-      $x1 = "${jndi:ldap:/"
-      $x2 = "${jndi:rmi:/"
-      $x3 = "${jndi:ldaps:/"
-      $x4 = "${jndi:dns:/"
-   condition:
-      1 of them
-}
-
-rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
-   meta:
-      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
-      author = "Florian Roth"
-      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
-      date = "2021-12-10"
-      score = 80
-   strings:
-      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
-      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
-   condition:
-      $x1 and not 1 of ($fp*)
-}
-
-rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
-   meta:
-      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
-      author = "Florian Roth"
-      reference = "https://twitter.com/Reelix/status/1469327487243071493"
-      date = "2021-12-10"
-      score = 70
-   strings:
-      /* curl -s  */
-      $sa1 = "Y3VybCAtcy"
-      $sa2 = "N1cmwgLXMg"
-      $sa3 = "jdXJsIC1zI"
-      /* |wget -q -O-  */
-      $sb1 = "fHdnZXQgLXEgLU8tI"
-      $sb2 = "x3Z2V0IC1xIC1PLS"
-      $sb3 = "8d2dldCAtcSAtTy0g"
-   condition:
-      1 of ($sa*) and 1 of ($sb*)
-}
-
-```
+https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar
 
 ## Help 
 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,7 +7,7 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo egrep -l -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
+sudo egrep -I -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
@@ -23,13 +23,13 @@ These commands cover even the obfuscated variants but lack the file name in a ma
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
+sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;
+sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;
 ```
 
 ## Log4Shell Detector (Python)

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,7 +7,7 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
+sudo egrep -l -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -32,6 +32,12 @@ This command searches for exploitation attempts in compressed files in folder `/
 sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;
 ```
 
+## Log4Shell Detector (Python)
+
+Python based scanner to detect the most obfuscated forms of the exploit codes. 
+
+https://github.com/Neo23x0/log4shell-detector
+
 ## Find Vulnerable Software (Windows)
 
 ```powershell 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -32,6 +32,15 @@ This command searches for exploitation attempts in compressed files in folder `/
 sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;
 ```
 
+## Find Vulnerable Software (Windows)
+
+```powershell 
+gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
+```
+
+by [@CyberRaiju](https://twitter.com/CyberRaiju/status/1469505677580124160)
+
+
 ## YARA
 
 Preliminary YARA rules (work in progress)

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -23,13 +23,13 @@ These commands cover even the obfuscated variants but lack the file name in a ma
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"\;
+sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
+sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;
 ```
 
 ## YARA

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -23,13 +23,13 @@ These commands cover even the obfuscated variants but lack the file name in a ma
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"\;
+sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"\;
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/test/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
+sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
 ```
 
 ## YARA

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -6,6 +6,22 @@ You can use these commands and rules to search for exploitation attempts against
 
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
+```bash
+sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
+```
+
+This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
+
+```bash
+sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'
+```
+
+## Grep / Zgrep - Obfuscated Variants
+
+These commands cover even the obfuscated variants but lack the file name in a match. 
+
+This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
+
 ```bash
 sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"\;
 ```

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -13,8 +13,7 @@ sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g |
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/test/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ld
-ap[s]?|rmi|dns):'" \;
+sudo find /var/log/test/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
 ```
 
 ## YARA

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -13,7 +13,8 @@ sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g |
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'
+sudo find /var/log/test/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ld
+ap[s]?|rmi|dns):'" \;
 ```
 
 ## YARA

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,8 +7,7 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"
-\;
+sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"\;
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,7 +7,8 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
+sudo find /var/log/test/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"
+\;
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -82,3 +82,4 @@ I got help and ideas from
 
 - [@matthias_kaiser](https://twitter.com/matthias_kaiser) 
 - [@daphiel](https://twitter.com/daphiel)
+- [@Reelix](https://twitter.com/Reelix)
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -49,6 +49,27 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
    condition:
       $x1 and not 1 of ($fp*)
 }
+
+rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
+   meta:
+      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/Reelix/status/1469327487243071493"
+      date = "2021-12-10"
+      score = 70
+   strings:
+      /* curl -s  */
+      $sa1 = "Y3VybCAtcy"
+      $sa2 = "N1cmwgLXMg"
+      $sa3 = "jdXJsIC1zI"
+      /* |wget -q -O-  */
+      $sb1 = "fHdnZXQgLXEgLU8tI"
+      $sb2 = "x3Z2V0IC1xIC1PLS"
+      $sb3 = "8d2dldCAtcSAtTy0g"
+   condition:
+      1 of ($sa*) and 1 of ($sb*)
+}
+
 ```
 
 ## Help 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -20,7 +20,6 @@ sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]
 
 Preliminary YARA rules (work in progress)
 ```yara
-
 rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
    meta:
       description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
@@ -45,12 +44,11 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
       date = "2021-12-10"
       score = 80
    strings:
-      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
+      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
       $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
    condition:
       $x1 and not 1 of ($fp*)
 }
-
 ```
 
 ## Help 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -7,19 +7,20 @@ You can use these commands and rules to search for exploitation attempts against
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://[^\n]+' /var/log
+sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
 ```
 
 This command searches for exploitation attempts in compressed files in folder `/var/log` and all sub folders
 
 ```bash
-sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+'
+sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'
 ```
 
 ## YARA
 
 Preliminary YARA rules (work in progress)
 ```yara
+
 rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
    meta:
       description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
@@ -28,9 +29,10 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
       date = "2021-12-10"
       score = 60
    strings:
-      $x1 = "${jndi:ldap://"
-      $x2 = "${jndi:rmi://"
-      $x3 = "${jndi:ldaps://"
+      $x1 = "${jndi:ldap:/"
+      $x2 = "${jndi:rmi:/"
+      $x3 = "${jndi:ldaps:/"
+      $x4 = "${jndi:dns:/"
    condition:
       1 of them
 }
@@ -43,11 +45,12 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
       date = "2021-12-10"
       score = 80
    strings:
-      $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
-      $fp1r = /(ldap|rmi|ldaps):\/\/(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
+      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
+      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
    condition:
       $x1 and not 1 of ($fp*)
 }
+
 ```
 
 ## Help 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -44,7 +44,7 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
       score = 80
    strings:
       $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
-      $fp1r = /(ldap|rmi|ldaps):\/\/(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.)/
+      $fp1r = /(ldap|rmi|ldaps):\/\/(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
    condition:
       $x1 and not 1 of ($fp*)
 }

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -50,6 +50,10 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
 }
 ```
 
+## Help 
+
+Please report findings that are not covered by these detection attempts.
+
 ## Credits 
 
 I got help and ideas from 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -44,9 +44,7 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
       score = 80
    strings:
       $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
-      $fp1 = "ldap://127.0.0.1"
-      $fp2 = "ldaps://127.0.0.1"
-      $fp3 = "rmi://127.0.0.1"
+      $fp1r = /(ldap|rmi|ldaps):\/\/(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.)/
    condition:
       $x1 and not 1 of ($fp*)
 }

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -56,5 +56,5 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
 
 I got help and ideas from 
 
-- @matthias_kaiser 
+- [@matthias_kaiser](https://twitter.com/matthias_kaiser) 
 - [@daphiel](https://twitter.com/daphiel)
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -57,4 +57,4 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
 I got help and ideas from 
 
 - @matthias_kaiser 
-- @daphiel
+- [@daphiel](https://twitter.com/daphiel)
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -52,3 +52,9 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
 }
 ```
 
+## Credits 
+
+I got help and ideas from 
+
+- @matthias_kaiser 
+- @daphiel
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -1,4 +1,4 @@
-# log4j RCE Detection
+# log4j RCE Exploitation Detection
 
 You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
 

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -1,4 +1,8 @@
-You can use these commands to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
+# log4j RCE Detection
+
+You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
+
+## Grep / Zgrep
 
 This command searches for exploitation attempts in uncompressed files in folder `/var/log` and all sub folders
 
@@ -12,6 +16,8 @@ This command searches for exploitation attempts in compressed files in folder `/
 sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+'
 ```
 
+## YARA
+
 Preliminary YARA rules (work in progress)
 ```yara
 rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
@@ -44,4 +50,5 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
    condition:
       $x1 and not 1 of ($fp*)
 }
-```
+```
+
diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -37,7 +37,7 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
       date = "2021-12-10"
       score = 80
    strings:
-      $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
+      $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
       $fp1 = "ldap://127.0.0.1"
       $fp2 = "ldaps://127.0.0.1"
       $fp3 = "rmi://127.0.0.1"

diff --git a/log4j_rce_detection.md b/log4j_rce_detection.md
@@ -10,4 +10,38 @@ This command searches for exploitation attempts in compressed files in folder `/
 
 ```bash
 sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+'
+```
+
+Preliminary YARA rules (work in progress)
+```yara
+rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
+   meta:
+      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
+      date = "2021-12-10"
+      score = 60
+   strings:
+      $x1 = "${jndi:ldap://"
+      $x2 = "${jndi:rmi://"
+      $x3 = "${jndi:ldaps://"
+   condition:
+      1 of them
+}
+
+rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
+   meta:
+      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
+      date = "2021-12-10"
+      score = 80
+   strings:
+      $x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
+      $fp1 = "ldap://127.0.0.1"
+      $fp2 = "ldaps://127.0.0.1"
+      $fp3 = "rmi://127.0.0.1"
+   condition:
+      $x1 and not 1 of ($fp*)
+}
 ```