Last active
May 5, 2022 21:45
-
-
Save oukeu/d9f3e77a30a24099f21c628ddc65a6a7 to your computer and use it in GitHub Desktop.
Funky Log4Shell splunk search.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TERM(jndi:*) OR TERM(env:ENV_NAME:*) OR TERM(::-/) OR | |
| TERM(::-j) OR TERM(::-jn) OR TERM(::-jnd) OR TERM(::-jndi) OR | |
| TERM(::-n) OR TERM(::-nd) OR TERM(::-ndi) OR | |
| TERM(::-d) OR TERM(::-di) OR | |
| TERM(::-i) OR | |
| TERM(lower:j) OR TERM(lower:jn) OR TERM(lower:jnd) OR TERM(lower:jndi) OR | |
| TERM(lower:n) OR TERM(lower:nd) OR TERM(lower:ndi) OR | |
| TERM(lower:d) OR TERM(lower:di) OR | |
| TERM(lower:i) OR | |
| TERM(upper:j) OR TERM(upper:jn) OR TERM(upper:jnd) OR TERM(upper:jndi) OR | |
| TERM(upper:n) OR TERM(upper:nd) OR TERM(upper:ndi) OR | |
| TERM(upper:d) OR TERM(upper:di) OR | |
| TERM(upper:i) OR | |
| TERM(%24%7B%24%7B*) OR TERM(%24%7B%6a*) OR | |
| TERM(%2524%257B%24%7B*) OR TERM(%2524%257B%256a*) | |
| | eval decoded=urldecode(_raw) | |
| ``` Generate Random Event ID for later deduping, from 100 to 100,000 https://community.splunk.com/t5/Splunk-Search/How-do-I-generate-a-random-number-between-a-specific-range/m-p/378229 ``` | |
| | eval randID = round(((random() % 100000)/(100000)) * (100000 - 100) + 100) | |
| ``` log4shell regex: https://github.com/back2root/log4shell-rex ``` | |
| | regex decoded="(?im)(?:^|[\\n]).*?(?:[\\x24]|%(?:25%?)*24|\\\\u?0*(?:44|24))(?:[\\x7b]|%(?:25%?)*7b|\\\\u?0*(?:7b|173))[^\\n]*?((?:j|%(?:25%?)*(?:4a|6a)|\\\\u?0*(?:112|6a|4a|152))[^\\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))[^\\n]*?((?:l|%(?:25%?)*(?:4c|6c)|\\\\u?0*(?:154|114|6c|4c))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))(?:[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163)))?|(?:r|%(?:25%?)*(?:52|72)|\\\\u?0*(?:122|72|52|162))[^\\n]*?(?:m|%(?:25%?)*(?:4d|6d)|\\\\u?0*(?:4d|155|115|6d))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))|(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))){2}[^\\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\\\u?0*(?:6f|4f|157|117))[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))|(?:c|%(?:25%?)*(?:43|63)|\\\\u?0*(?:143|103|63|43))[^\\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\\\u?0*(?:6f|4f|157|117))[^\\n]*?(?:r|%(?:25%?)*(?:52|72)|\\\\u?0*(?:122|72|52|162))[^\\n]*?(?:b|%(?:25%?)*(?:42|62)|\\\\u?0*(?:102|62|42|142))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))|(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:h|%(?:25%?)*(?:48|68)|\\\\u?0*(?:110|68|48|150))(?:[^\\n]*?(?:t|%(?:25%?)*(?:54|74)|\\\\u?0*(?:124|74|54|164))){2}[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))(?:[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163)))?)[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))|(?:b|%(?:25%?)*(?:42|62)|\\\\u?0*(?:102|62|42|142))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))[^\\n]*?(?:e|%(?:25%?)*(?:45|65)|\\\\u?0*(?:45|145|105|65))[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))(JH[s-v]|[\\x2b\\x2f-9A-Za-z][CSiy]R7|[\\x2b\\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\\x2b\\x2f-9w-z]))" | |
| ``` Extract all instances of ${.*} maintaining {} symmetry. This returns multiple results for each log only one of which contains the entire payload ``` | |
| | rex field=decoded "(?im)(?(DEFINE)(?'nested'\$\{((?>[^${}]+)|(?R))*+\})(?'payload'\$\{((?>[^${}]+|(?&nested)*)|(?R))*+\}))(?:([^$](*SKIP)(*FAIL)))|(?<potential_payload>(?&payload))" max_match=0 | |
| | fillnull value="unable to extract" potential_payload | |
| | mvexpand potential_payload | |
| ``` Narrow to only the full jndi string. Remove edge case of "${*:jndi}" obfuscation. (written with smooth operator to allow for easy additions) ``` | |
| | regex potential_payload="((?im)\$\{.*j.*n.*d.*i.*\})" | |
| | search NOT potential_payload IN ("${*:jndi}") | |
| ``` Remove duplicates ``` | |
| | dedup randID _time host potential_payload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment