This is a public repository from Wortell containing information, links, files and other items related to CVE-2021-44228.
Here are a few options to try and find applications that use Log4j and could potentially be abused:
- BURP Pro add-in: https://gist.github.com/kugg/0d08b6548db249eaffaca1799e0d01d6
- File scanner (obv Powershell, for Windows): https://gist.github.com/Skons/0b9bbfbbf37d2707ccf83f3d549a6588
- File Scanner (obv Go, all platforms) https://github.com/dtact/divd-2021-00038--log4j-scanner (Will also disable JNDI, when found!)
- Vulnerable test app: https://github.com/kugg/log4shellverify
- Web/URL scanner: https://github.com/zerobs-rvn/hrafna
- Web/URL scanner: https://github.com/fullhunt/log4j-scan
- Shodan: https://www.shodan.io/search?query=has_vuln%3ACVE2021-44228
- Tenable plugins: https://www.tenable.com/plugins/search?q=cves%3A%28%22CVE-2021-44228%22%29&sort=&page=1
- Lunasec Scanner: https://github.com/lunasec-io/lunasec/releases/tag/v1.0.0-log4shell
- Log Scanner (It checks local log files for indicators of exploitation attempts) https://github.com/Neo23x0/log4shell-detector
- Detects log4j versions on your file-system, including deeply recursively nested copies (jars inside jars inside jars). Works on Linux, Windows, and Mac, and everywhere else Java runs, too! https://github.com/mergebase/log4j-detector
- Ansible-based scanner https://github.com/robertdebock/ansible-role-cve_2021_44228
- NCC Group Indicators of compromise https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/
- Nested Log4J exploit strings https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
- Microsoft's Threat Intelligence Center IOC feed https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
- Crowdsec IOC list https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166
- (dutch) NCSC list of vulnerable applications: https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md
- Lunasec (Guide to detect and mitigate Log4Shell) https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/
- Govcert.ch Zero Day Exployst targeting popular Java Library Log4j https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
- Dutch NCSC guidance: https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen
- Dutch NCSC advisory: https://www.ncsc.nl/actueel/advisory?id=NCSC-2021-1052
- Log4Shell: the defender’s worst nightmare? https://www.sekoia.io/en/log4shell-the-defenders-worst-nightmare/
- Microsoft: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
- How to detect Log4j with MS Endpoint Manager (Alex Verboon) https://www.verboon.info/2021/12/how-to-detect-the-log4shell-vulnerability-cve-2021-44228-with-microsoft-endpoint-configuration-manager/
- Attackers now shifting from LDAP to RMI https://blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi
- Conti Becomes The First Sophisticated Crimeware Group Weaponizing Log4j2 https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement
-
VX-underground is maintaining a library of samples from malware families that have been seen abusing the log4j cve: https://samples.vx-underground.org/samples/Families/Log4J%20Malware/
-
Samples of log4j library versions to help validate log4j scanners / detectors: https://github.com/mergebase/log4j-samples/
-
Microsoft Sentinel provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing and learning more about the vulnerability: https://github.com/Cyb3rWard0g/log4jshell-lab
- Apache LOG4J version 2.16.0 https://logging.apache.org/log4j/2.x/download.html
! IMPORTANT ! Exploits are continously developed. Aways make sure to work with the latest version of scanners.
-
Identify potential vulnerable devices by using https://github.com/NCSC-NL/log4shell/blob/main/software/README.md - This a time consuming task, but you need to do it anyway, so better start quickly!
-
Run a scan to check for vulnerable java applications/dependancies using: https://github.com/mergebase/log4j-detector with command
java log4j-detector-2021.12.14.jar c:/and watch for files that have been classified as vulnerable.
- Run a scan to check for expoit attempts using https://github.com/Neo23x0/log4shell-detector
python3 log4shell-detector.py -p c:\and wath for exploitation attempts.
Here are Wortell specialists blogging about LOG4J:
- Jeffrey Appel: Microsoft Defender https://jeffreyappel.nl/microsoft-defender-for-endpoint-log4j/
- Jeroen Niesen: reverse engineering https://www.wortell.nl/en/blogs/cve-2021-44228-log4shell
