• Stars
    star
    729
  • Rank 62,157 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created about 3 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Detector for Log4Shell exploitation attempts

Not Maintained

log4shell-detector

Detector for Log4Shell exploitation attempts

What it does and doesn't do

It does: It checks local log files for indicators of exploitation attempts, even heavily obfuscated ones that string or regular expression based patterns wouldn't detect.

  • It doesn't find vulnerable applications
  • It doesn't and can't verify if the exploitation attempts were successful

Idea

The problem with the log4j CVE-2021-44228 exploitation is that the string can be heavily obfuscated in many different ways. It is impossible to cover all possible forms with a reasonable regular expression.

The idea behind this detector is that the respective characters have to appear in a log line in a certain order to match.

${jndi:ldap:

Split up into a list it would look like this:

['$', '{', 'j', 'n', 'd', 'i', ':', 'l', 'd', 'a', 'p', ':']

I call these lists 'detection pads' in my script and process each log line character by character. I check if each character matches the first element of the detection pads. If the character matches a character in one of the detection pads, a pointer moves forward.

When the pointer reaches the end of the list, the detection triggered and the script prints the file name, the complete log line, the detected string and the number of the line in the file.

I've included a decoder for URL based encodings. If we need more, please let me know.

Usage

usage: log4shell-detector.py [-h] [-p path [path ...] | -f path [path ...] | --auto] [-d distance] [--quick] [--debug] [--summary]

Log4Shell Exploitation Detectors

optional arguments:
  -h, --help          show this help message and exit
  -p path [path ...]  Path to scan
  -f path [path ...]  File to scan
  --auto              Automatically evaluate locations to which logs get written and scan these folders recursively (new default if no path is given)
  -d distance         Maximum distance between each character
  -c check_usage      Check log4j usage before launching the scan
  --debug             Debug output
  --defaultpaths      Scan a set of default paths that should contain relevant log files.
  --quick             Skip log lines that don't contain a 2021 or 2022 time stamp
  --debug             Debug output
  --summary           Show summary only
  --silent            Silent Mode. Only output on matches and errors

Get started

  1. Make sure that the target systems on which you'd like to run log4shell-detector has python installed: python -V and see if Python 3 is available python3 -V

  2. Download this Repo by clicking "Code" > "Download ZIP"

  3. Extract the package and bring othe comlete package to the target system (e.g. with scp)

  4. Run it with python3 log4shell-detector.py -p /var/log (if python3 isn't available use python)

  5. If your applications log to a different folder than /var/log find out where the log files reside and scan these folders. Find locations to which apps write logs with lsof | grep '\.log'.

  6. Review the results (see FAQs for details)

Using ansible-playbook

You can also use the playbook.yml which copies the needed files on the server, runs the script and only shows something if a match was found.

Use it like this:

ansible-playbook -i hosts playbook.yml

which could result in something like this:

TASK [Run the script] ******************************************************************************************************************************************************
fatal: [foo]: FAILED! => changed=false 
  <omitted>
  stdout: |-
    [!] FILE: /var/log/messages LINE_NUMBER: 6098 DEOBFUSCATED_STRING: ${jndi:ldap: LINE: ${jndi:ldap:foo
    [!] 1 files with exploitation attempts detected in PATH: /var/log/

FAQs

I don't use log4j on that server but the scanner reports exploitation attempts. Am I affected?

No. But can you be sure that no application uses log4j?

You can try to find evidence of log4j usage running these commands:

ps aux | egrep '[l]og4j'
find / -iname "log4j*"
lsof | grep log4j
find . -name '*[wj]ar' -print -exec sh -c 'jar tvf {} | grep log4j' \;

If none of these commands returned a result, you should be safe.

My applications use log4j and I've found evidence of exploitation attempts? Am I compromised?

It is possible, yes. First check if the application that you use is actually affected by the vulnerability. Check the JAVA and log4j versions, check the vendor's blog for an advisory or test the application yourself using canary tokens.

If your application is affected and vulnerable and you plan to do a forensic investigation,

  1. create a memory image of that system (use e.g. VMWare's snapshots or other tools for that)

  2. create a disk image of that system

  3. check the system's outgoing network connections in your firewall logs

  4. check the system's crontab for suspicious new entries (/etc/crontab). If you want and can, use our free tool THOR Lite for a basic compromise assessment.

  5. After some investigations, decide if you want and can disconnect that system from the Internet until you've verified that it hasn't been compromised.

Special Flags

--auto

Automatically select file paths to which log files get written. (default: overwrite with -p path or -f file)

--check_usage

Check log4j usage before launching the exploits scan. The usage of this optional flag stop the execution of the script if there is no log4j being used in the current system, the thing that helps saving time especially when it's about scanning an entire infrastructure.

--quick

Only checks log lines that contain a 2021 or 2022 to exclude all scanning of older log entries. We assume that the vulnerability wasn't exploited in 2019 and earlier.

--summary

Prints a summary of matches, with only the filename and line number.

--silent

Silent Mode. Only output on matches (stdout) and errors (stderr)

Requirements

  • Python 2 or Python 3

No further or special Python modules are required. It should run on any system that runs Python.

Screenshots

Screen1

Screen2

Help

There are different ways how you can help.

  1. Test it against the payloads that you find in the wild and let me know if we miss something.
  2. Help me find and fix bugs.
  3. Test if the scripts runs with Python 2; if not, we can add a slightly modified version to the repo.

Test Your Changes

Test your changes to the script with:

pytest

Requires:

pip install pytest

Contact

Twitter: @cyberops

More Repositories

1

Loki

Loki - Simple IOC and YARA Scanner
Python
3,321
star
2

signature-base

YARA signature and IOC database for my scanners and tools
YARA
2,426
star
3

yarGen

yarGen is a generator for YARA rules
Python
1,518
star
4

auditd

Best Practice Auditd Configuration
1,448
star
5

Raccine

A Simple Ransomware Vaccine
C++
945
star
6

munin

Online hash checker for Virustotal and other services
Python
809
star
7

Fenrir

Simple Bash IOC Scanner
Shell
680
star
8

yarAnalyzer

Yara Rule Analyzer and Statistics
Python
356
star
9

vti-dorks

Awesome VirusTotal Intelligence Search Queries
325
star
10

Fnord

Pattern Extractor for Obfuscated Code
Shell
295
star
11

BlueLedger

A list of my personal projects
166
star
12

DLLRunner

Smart DLL execution for malware analysis in sandbox systems
Python
141
star
13

god-mode-rules

God Mode Detection Rules
YARA
129
star
14

YARA-Performance-Guidelines

A guide on how to write fast and memory friendly YARA rules
122
star
15

evt2sigma

Log Entry to Sigma Rule Converter
Python
104
star
16

yaraQA

YARA rule analyzer to improve rule quality and performance
Python
93
star
17

Cyber-Search-Shortcuts

Browser Shortcuts for Cyber Security Related Online Services
78
star
18

exotron

Sandbox feature upgrade with the help of wrapped samples
Python
75
star
19

Loki2

LOKI2 - Simple IOC and YARA Scanner
Rust
73
star
20

ImpHash-Generator

PE Import Hash Generator
Python
72
star
21

Rewind

Immediate Virus Infection Counter Measures
C#
62
star
22

radiocarbon

Leak File Analyzer
Python
62
star
23

tiny-shells

All kinds of tiny shells
59
star
24

panopticon

A YARA Rule Performance Measurement Tool
YARA
58
star
25

LOLSecIssues

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naiveté in infosec is met with humor.
57
star
26

ti-falsepositives

A collection of typical false positive indicators
Python
54
star
27

webshell-intel

Scan web server for known webshell names and responses
50
star
28

xorex

XOR Key Extractor
Python
48
star
29

Talks

Slides of my public talks
46
star
30

cyber-chef-recipes

Recipes for GCHQ's CyberChef Web App
35
star
31

sysmon-version-history

An Inofficial Sysmon Version History (Change Log)
32
star
32

littlesnitch-log-exporter

LittleSnitch Log Statistics Exporter
Python
32
star
33

YARA-Style-Guide

A specification and style guide for YARA rules
32
star
34

SkeletonKeyScanner

Scanner for the SkeletonKey Malware
Python
30
star
35

ThreatResearch-Reporting-Guide

Offensive Research Guide to Help Defense Improve Detection
29
star
36

prisma

Command Line STDOUT Colorer
Python
29
star
37

ReginScanner

Scanner for Regin Virtual Filesystems
Python
26
star
38

space-id

Invisible Watermarks with Space Characters in ASCII Files
Python
22
star
39

neolog

Windows Syslog Command Line Client
15
star
40

narsil

Spy Agency Teasing
Python
14
star
41

yara-uuid-generator

A tool that adds reproducible UUIDs to YARA rules
Python
13
star
42

WPWatcher

Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email
Python
11
star
43

defensive-project-ideas

Ideas for projects for defensive research or blue teaming
10
star
44

agile-hacking

Collection of hacks that make use of the least available on victim systems
Visual Basic
8
star
45

CredsSpreader

A tool to spread canary credentials in your organisation
8
star
46

language-thor

Syntax Theme for THOR APT Scanner log files
5
star
47

yara-type-selectors

YARA rules to certain types of files without using YARA modules to avoid the performance impact
YARA
5
star
48

PassTweaker

Tweaks password files to match modern password requirements
Python
5
star
49

speedy

(Demo) - Only used to demonstrate a memory leak caused by Golang regexp
Go
4
star
50

loki-cloud

A flexible and lightweight way to execute LOKI on end systems
3
star
51

imphash-go

Imphash Generator
1
star