Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Antonio2022
New Contributor II

FortiSIEM Rule to identify Apache log4j exploits (CVE-2021-44228)

Hello there,

The following rules was created and adapted from an Exabeam query. See original post below.
https://community.exabeam.com/s/article/Detecting-CVE-2021-44228-Log4j2-using-Exabeam


Event type != FortiGate-ips-signature-51006          [we do not want to include any event reported by FortiGate, just events reported by servers]
AND
(
Raw Event Log  CONTAIN  jndi:ldap
OR
Raw Event Log  CONTAIN  jndi:dns
orORRaw Event Log  CONTAIN  jndi:ldaps
OR
Raw Event Log  CONTAIN  jndi:rmi
OR
Raw Event Log  CONTAIN  j}ndi
OR
Raw Event Log  CONTAIN  jndi%3Aldap
OR
Raw Event Log  CONTAIN  jndi%3Aldns
OR
Raw Event Log  CONTAIN ${jndi:ldap:
OR
Raw Event Log  CONTAIN  ${${::-j}${::-n}${::-d}${::-i}:
OR
Raw Event Log  CONTAIN    ${${::-j}ndi:\" OR \"${${lower:jndi}
)

The reason why we are using Raw Event Log is because FortiSIEM is not parsing all WMI application Widows events. It is required to modify the parser to capture this information.

An alternative Rule specific for Windows devices could be:
Event type = Win-App-ASP.NET-4.0.30319.0-1309
Raw Event Log   CONTAIN  jndi:ldap

---------------------
False positives:
--------------------
The server Log4j 2 library version is not within this range 2.0-beta9 to 2.14.1.
You need to either verify manually on the server(s) or perform some sort vulnerability scan. 


IOCs:
https://securityblue.team/log4j-hunting-and-indicators/
https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv 


I hope it helps
0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.