Skip to content

Instantly share code, notes, and snippets.

@oukeu

oukeu/Log4Shell.spl

Last active May 5, 2022 21:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save oukeu/d9f3e77a30a24099f21c628ddc65a6a7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save oukeu/d9f3e77a30a24099f21c628ddc65a6a7 to your computer and use it in GitHub Desktop.
Download ZIP
Funky Log4Shell splunk search.
Raw
Log4Shell.spl
TERM(jndi:*) OR TERM(env:ENV_NAME:*) OR TERM(::-/) OR
TERM(::-j) OR TERM(::-jn) OR TERM(::-jnd) OR TERM(::-jndi) OR
TERM(::-n) OR TERM(::-nd) OR TERM(::-ndi) OR
TERM(::-d) OR TERM(::-di) OR
TERM(::-i) OR
TERM(lower:j) OR TERM(lower:jn) OR TERM(lower:jnd) OR TERM(lower:jndi) OR
TERM(lower:n) OR TERM(lower:nd) OR TERM(lower:ndi) OR
TERM(lower:d) OR TERM(lower:di) OR
TERM(lower:i) OR
TERM(upper:j) OR TERM(upper:jn) OR TERM(upper:jnd) OR TERM(upper:jndi) OR
TERM(upper:n) OR TERM(upper:nd) OR TERM(upper:ndi) OR
TERM(upper:d) OR TERM(upper:di) OR
TERM(upper:i) OR
TERM(%24%7B%24%7B*) OR TERM(%24%7B%6a*) OR
TERM(%2524%257B%24%7B*) OR TERM(%2524%257B%256a*)
| eval decoded=urldecode(_raw)
``` Generate Random Event ID for later deduping, from 100 to 100,000 https://community.splunk.com/t5/Splunk-Search/How-do-I-generate-a-random-number-between-a-specific-range/m-p/378229 ```
| eval randID = round(((random() % 100000)/(100000)) * (100000 - 100) + 100)
``` log4shell regex: https://github.com/back2root/log4shell-rex ```
| regex decoded="(?im)(?:^|[\\n]).*?(?:[\\x24]|%(?:25%?)*24|\\\\u?0*(?:44|24))(?:[\\x7b]|%(?:25%?)*7b|\\\\u?0*(?:7b|173))[^\\n]*?((?:j|%(?:25%?)*(?:4a|6a)|\\\\u?0*(?:112|6a|4a|152))[^\\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))[^\\n]*?((?:l|%(?:25%?)*(?:4c|6c)|\\\\u?0*(?:154|114|6c|4c))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))(?:[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163)))?|(?:r|%(?:25%?)*(?:52|72)|\\\\u?0*(?:122|72|52|162))[^\\n]*?(?:m|%(?:25%?)*(?:4d|6d)|\\\\u?0*(?:4d|155|115|6d))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))|(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:[^\\n]*?(?:[i\\x{130}\\x{131}]|%(?:25%?)*(?:49|69|C4%(?:25%?)*B0|C4%(?:25%?)*B1)|\\\\u?0*(?:111|69|49|151|130|460|131|461))){2}[^\\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\\\u?0*(?:6f|4f|157|117))[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))|(?:c|%(?:25%?)*(?:43|63)|\\\\u?0*(?:143|103|63|43))[^\\n]*?(?:o|%(?:25%?)*(?:4f|6f)|\\\\u?0*(?:6f|4f|157|117))[^\\n]*?(?:r|%(?:25%?)*(?:52|72)|\\\\u?0*(?:122|72|52|162))[^\\n]*?(?:b|%(?:25%?)*(?:42|62)|\\\\u?0*(?:102|62|42|142))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))|(?:n|%(?:25%?)*(?:4e|6e)|\\\\u?0*(?:4e|156|116|6e))[^\\n]*?(?:d|%(?:25%?)*(?:44|64)|\\\\u?0*(?:44|144|104|64))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))|(?:h|%(?:25%?)*(?:48|68)|\\\\u?0*(?:110|68|48|150))(?:[^\\n]*?(?:t|%(?:25%?)*(?:54|74)|\\\\u?0*(?:124|74|54|164))){2}[^\\n]*?(?:p|%(?:25%?)*(?:50|70)|\\\\u?0*(?:70|50|160|120))(?:[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163)))?)[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))|(?:b|%(?:25%?)*(?:42|62)|\\\\u?0*(?:102|62|42|142))[^\\n]*?(?:a|%(?:25%?)*(?:41|61)|\\\\u?0*(?:101|61|41|141))[^\\n]*?(?:[s\\x{17f}]|%(?:25%?)*(?:53|73|C5%(?:25%?)*BF)|\\\\u?0*(?:17f|123|577|73|53|163))[^\\n]*?(?:e|%(?:25%?)*(?:45|65)|\\\\u?0*(?:45|145|105|65))[^\\n]*?(?:[\\x3a]|%(?:25%?)*3a|\\\\u?0*(?:72|3a))(JH[s-v]|[\\x2b\\x2f-9A-Za-z][CSiy]R7|[\\x2b\\x2f-9A-Za-z]{2}[048AEIMQUYcgkosw]ke[\\x2b\\x2f-9w-z]))"
``` Extract all instances of ${.*} maintaining {} symmetry. This returns multiple results for each log only one of which contains the entire payload ```
| rex field=decoded "(?im)(?(DEFINE)(?'nested'\$\{((?>[^${}]+)|(?R))*+\})(?'payload'\$\{((?>[^${}]+|(?&nested)*)|(?R))*+\}))(?:([^$](*SKIP)(*FAIL)))|(?<potential_payload>(?&payload))" max_match=0
| fillnull value="unable to extract" potential_payload
| mvexpand potential_payload
``` Narrow to only the full jndi string. Remove edge case of "${*:jndi}" obfuscation. (written with smooth operator to allow for easy additions) ```
| regex potential_payload="((?im)\$\{.*j.*n.*d.*i.*\})"
| search NOT potential_payload IN ("${*:jndi}")
``` Remove duplicates ```
| dedup randID _time host potential_payload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment