YARA rules

Home/CVE-2021-44228/YARA rules

YARA

YARA rules for CVE-2021-44228

7 rules · scoped to cve · back to CVE-2021-44228

YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.

◈

7 of 7

direct Log4j

EXPL_Log4j_CallBackDomain_IOCs_Dec21_1

Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 {
   meta:
      description = "Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8"
      date = "2021-12-12"
      score = 60
      id = "474afa96-1758-587e-8cab-41c5205e245e"
   strings:
      $xr1  = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/
   condition:
      1 of them
}

direct Log4j

EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1

Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
   meta:
      description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
      date = "2021-12-12"
      score = 60
      id = "82cf337e-4ea1-559b-a7b8-512a07adf06f"
   strings:
      $xa1 = "header with value of BadAttributeValueException: "
      
      $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
      $sa2 = "Error looking up JNDI resource"
   condition:
      $xa1 or all of ($sa*)
}

direct Log4j

EXPL_Log4j_CVE_2021_44228_Dec21_Soft

Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft : FILE {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      modified = "2025-03-24"
      score = 50
      id = "87e536a5-cc11-528a-b100-4fa3b2b7bc0c"
   strings:
      $x01 = "${jndi:ldap:/"
      $x02 = "${jndi:rmi:/"
      $x03 = "${jndi:ldaps:/"
      $x04 = "${jndi:dns:/"
      $x05 = "${jndi:iiop:/"
      $x06 = "${jndi:http:/"
      $x07 = "${jndi:nis:/"
      $x08 = "${jndi:nds:/"
      $x09 = "${jndi:corba:/"

      $fp1 = "<html"
      $fp2 = "/nessus}"
   condition:
      1 of ($x*) and not 1 of ($fp*)
}

direct Log4j

EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC

Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
   meta:
      description = "Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-12"
      modified = "2021-12-13"
      score = 60
      id = "d7c4092a-6ffc-5a89-b73a-f7f0ac984cbd"
   strings:
      $x1 = "$%7Bjndi:"
      $x2 = "%2524%257Bjndi"
      $x3 = "%2F%252524%25257Bjndi%3A"
      $x4 = "${jndi:${lower:"
      $x5 = "${::-j}${"
      $x6 = "${${env:BARFOO:-j}"
      $x7 = "${::-l}${::-d}${::-a}${::-p}"
      $x8 = "${base64:JHtqbmRp"

      $fp1 = "<html"
   condition:
      1 of ($x*) and not 1 of ($fp*)
}

direct Log4j

EXPL_Log4j_CVE_2021_44228_Dec21_Hard

Detects indicators in server logs that indicate the exploitation of CVE-2021-44228

author Florian Roth license see source repo

view YARA rule

rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard : FILE {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      modified = "2025-03-20"
      score = 65
      id = "5297c42d-7138-507d-a3eb-153afe522816"
   strings:
      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
      $x2 = "Reference Class Name: foo"
      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/

      $fpg2 = "<html"
      $fpg3 = "<HTML"
      
      $fp1 = "/QUALYSTEST" ascii
      $fp2 = "w.nessus.org/nessus"
      $fp3 = "/nessus}"
   condition:
      1 of ($x*) and not 1 of ($fp*)
}

direct Base64

SUSP_Base64_Encoded_Exploit_Indicators_Dec21

Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
   meta:
      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/Reelix/status/1469327487243071493"
      date = "2021-12-10"
      modified = "2021-12-13"
      score = 70
      id = "09abc4f0-ace7-5f53-b1d3-5f5c6bf3bdba"
   strings:
      /* curl -s  */
      $sa1 = "Y3VybCAtcy"
      $sa2 = "N1cmwgLXMg"
      $sa3 = "jdXJsIC1zI"
      /* |wget -q -O-  */
      $sb1 = "fHdnZXQgLXEgLU8tI"
      $sb2 = "x3Z2V0IC1xIC1PLS"
      $sb3 = "8d2dldCAtcSAtTy0g"

      $fp1 = "<html"
   condition:
      1 of ($sa*) and 1 of ($sb*)
      and not 1 of ($fp*)
}

direct OBFUSC

SUSP_EXPL_OBFUSC_Dec21_1

Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule SUSP_EXPL_OBFUSC_Dec21_1{
   meta:
      description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/testanull/status/1469549425521348609"
      date = "2021-12-11"
      modified = "2022-11-08"
      score = 60
      id = "b8f56711-7922-54b9-9ce2-6ba05d64c80d"
   strings:
      /* ${lower:X} - single character match */
      $f1 = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
      /* ${upper:X} - single character match */
      $f2 = { 24 7B 75 70 70 65 72 3A ?? 7D }
      /* URL encoded lower - obfuscation in URL */
      $x3 = "$%7blower:"
      $x4 = "$%7bupper:"
      $x5 = "%24%7bjndi:"
      $x6 = "$%7Blower:"
      $x7 = "$%7Bupper:"
      $x8 = "%24%7Bjndi:"

      $fp1 = "<html"
   condition:
      ( 
         1 of ($x*) or 
         filesize < 200KB and 1 of ($f*) 
      ) 
      and not 1 of ($fp*)
}

Showing 1-7 of 7

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin