Splunk search for Detecting Log4J jndi Vulnerabilities (CVE-2021-44228) (Log4Shell)

Copy
[ | tstats count where index=* AND punct IN ("*${*","*$%*") earliest=-7d latest=now by index, sourcetype | fields - count | format ] AND (((punct=*$* AND punct=*:*) OR (punct=*%*)) AND ("*${*" OR "*%24{*" OR "$%7B*" OR "*%24%7B*"") AND ("//" OR "%2F%2F" OR "/%2F" OR "%2F/") ) | eval decoded_raw = urldecode(_raw) | regex decoded_raw="\$\S*?{\S*?j[A-Za-z:\-\$[]]*?n[A-Za-z:\-\$[]]*?d[A-Za-z:\-\$[]]*?i[^\s\/]*//.*"
This search will detect attempted exploits of the CVE-2021-44228 Log4J jndi Vulnerability. Note that this search only works on sourcetypes that have the punct field. If you have sourcetypes with no punct field you will need to manually add those indexes and sourcetypes to the search.
1 comment

Category:

Security


Tags:

security log4j jndi cve-2021-44228

Search Commands:

Sign in or Register to submit a comment

Comments

fbrizzi | March 2023

correct: [| tstats count where index=* AND punct IN ("*${*","*$%*") earliest=-1mon latest=now by index, sourcetype | fields - count | format ] AND (((punct=*$* AND punct=*:*) OR (punct=*%*)) AND ("*${*" OR "*%24{*" OR "$%7B*" OR "*%24%7B*"") AND ("//" OR "%2F%2F" OR "/%2F" OR "%2F/") ) | eval decoded_raw = urldecode(_raw) | regex decoded_raw="$S*?{S*?j[A-Za-z:-$[]]*?n[A-Za-z:-$[]]*?d[A-Za-z:-$[]]*?i[^s/]*//.*"