I've just developed a new regex to detect #log4Shell attack attempts in #log4j. It supports obfuscated payloads using recently discovered bypass words.
If you find new bypasses, please let me know. I'll do my best to keep it up-to-date!
Regex and details in this thread (1/8)
If you find new bypasses, please let me know. I'll do my best to keep it up-to-date!
Regex and details in this thread (1/8)
🔍 Regex:
\${(?i)((\${|}+)?(j|(([^-]*?:)+?'?-?(?1)'?))'?}*)((\${|}+)?(n|(([^-]*?:)+?'?-?(?6)'?))'?}*)((\${|}+)?(d|(([^-]*?:)+?'?-?(?11)'?))'?}*)((\${|}+)?(i|ı|(([^-]*?:)+?'?-?(?16)'?))'?}*)
(2/8)
\${(?i)((\${|}+)?(j|(([^-]*?:)+?'?-?(?1)'?))'?}*)((\${|}+)?(n|(([^-]*?:)+?'?-?(?6)'?))'?}*)((\${|}+)?(d|(([^-]*?:)+?'?-?(?11)'?))'?}*)((\${|}+)?(i|ı|(([^-]*?:)+?'?-?(?16)'?))'?}*)
(2/8)
💡 Supported obfuscation methods:
- generic lookup functions (lower, upper, date, ...)
- :- syntax (${X:Y:Z:-VAL})
- random characters in lookup blocks
- random case in lookup blocks
- abrupt termination of lookup block (${lower:})
- ...
(3/8)
- generic lookup functions (lower, upper, date, ...)
- :- syntax (${X:Y:Z:-VAL})
- random characters in lookup blocks
- random case in lookup blocks
- abrupt termination of lookup block (${lower:})
- ...
(3/8)
💡 Supported obfuscation methods:
- ...
- nesting (${lower:${upper:j}})
- Unicode conversion confusion
- any combination of the techniques above
Tested payloads available here: pastebin.com/tASDyHb1
(4/8)
- ...
- nesting (${lower:${upper:j}})
- Unicode conversion confusion
- any combination of the techniques above
Tested payloads available here: pastebin.com/tASDyHb1
(4/8)
⛔ Limitations:
- URL encoding is not directly supported: better to pipe a decoder before running the regex
- finds the "jndi:" pattern only; this ensures to catch any protocol, keeping performances good, and false positive rate low due to the parser pedantism
(5/8)
- URL encoding is not directly supported: better to pipe a decoder before running the regex
- finds the "jndi:" pattern only; this ensures to catch any protocol, keeping performances good, and false positive rate low due to the parser pedantism
(5/8)
⛔ Limitations:
- deliberately verbose to maximize compatibility, as non-PCRE engines may not support advanced features (e.g., DEFINE groups, and relative subpattern recursion)
- if you use Python, use the "regex" module, instead or "re"
(6/8)
- deliberately verbose to maximize compatibility, as non-PCRE engines may not support advanced features (e.g., DEFINE groups, and relative subpattern recursion)
- if you use Python, use the "regex" module, instead or "re"
(6/8)
🛠 How to use it:
- for detecting past malicious activity, analyze your logs with egrep. Note that analyzing logs from the webserver is useless, as you'd get only the computed values. You should use logs of anything before the webserver, or a copy of your traffic.
- ...
(7/8)
- for detecting past malicious activity, analyze your logs with egrep. Note that analyzing logs from the webserver is useless, as you'd get only the computed values. You should use logs of anything before the webserver, or a copy of your traffic.
- ...
(7/8)
🛠 How to use it:
- ...
- for detecting/blocking live attack attempts, implement a new rule on your IDS/IPS using this regex
(8/8)
- ...
- for detecting/blocking live attack attempts, implement a new rule on your IDS/IPS using this regex
(8/8)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
