Suspicious Activity in Shell Commands<\/a>
\n(UUID: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695)<\/li>\n<\/ul>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
ASGARD Users<\/h1>\n
It takes us few days to release new rules. The rules that we wrote over the weekend may not be available on Monday 13th of December. ASGARD users that want to use the signatures that are still in our QS, can activate the option for these signatures in “Settings > Advanced > Show Signature SigDev Option”.\u00a0<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-17.08.08.png” title_text=”Screenshot 2021-12-12 at 17.08.08″ _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
After changing the setting, new scans show an additional option in the dropdown menu.\u00a0<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/12\/Screenshot-2021-12-12-at-17.08.53.png” title_text=”Screenshot 2021-12-12 at 17.08.53″ _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Please contact our support in case of any questions.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.14.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
THOR Users<\/h1>\n
Users of our scanner THOR also need to use the signature version that’s in development to get the newest signatures that detect log4j exploitation.\u00a0<\/p>\n
Retrieve that signature pack with:<\/p>\n
thor-util.exe update –sigdev<\/strong><\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.LunaSec reported first on the vulnerability.Use this method to detect vulnerable applications and services in your organisation.Different detection patterns and idea to detect exploitation attempts in log files using grep and zgrep.A python script that can be used to detect even the most obfuscated versions of the malicious payload.\u00a0Big collection of advisories and statements by different vendors that use JAVA and log4j.\u00a0Incomplete list of software products that have proven to be vulnerable.Scans the file system of application servers for vulnerable versions of the log4j module.A bash based IOC scanner that can be used on any Linux\/Unix system to detect traces of the attack and vulnerable log4j versions.Signatures Detecting Log4Shell Attacks Check for matches with the following rules: Exploitation YARA EXPL_Log4j_CVE_2021_44228_Dec21_Soft EXPL_Log4j_CVE_2021_44228_Dec21_Hard EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 SUSP_Base64_Encoded_Exploit_Indicators_Dec21 SUSP_JDNIExploit_Indicators_Dec21 SUSP_EXPL_OBFUSC_Dec21_1 EXPL_JNDI_Exploit_Patterns_Dec21_1 EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 SUSP_EXPL_JAVA_Class_Dec21_1 Sigma Log4j RCE CVE-2021-44228 in Fields UUID: 9be472ed-893c-4ec0-94da-312d2765f654) Log4j RCE CVE-2021-44228 Generic (UUID: 5ea8faa8-db8b-45be-89b0-151b84c82702) JNDIExploit Kit Pattern (UUID: 412d55bc-7737-4d25-9542-5b396867ce55) Post-Exploitation Look for matches with the following rules that trigger on activity observer in-the-wild. YARA SUSP_LNX_SH_Cron_Wget_Apr21_1 SUSP_LNX_Crontab_Wget_Oct21_1 SUSP_ShellCommands_Oct19 Pentest_FullShell_Commands Sigma Suspicious Activity in Shell Commands […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[656,655,654,5],"class_list":["post-11451","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","tag-cve-2021-44228","tag-log4j","tag-log4shell","tag-thor"],"yoast_head":"\n
Log4Shell Detection with Nextron Rules - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Log4Shell Detection with Nextron Rules\",\"datePublished\":\"2021-12-12T11:15:03+00:00\",\"dateModified\":\"2022-03-25T13:15:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/\"},\"wordCount\":1264,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"CVE-2021-44228\",\"Log4j\",\"Log4Shell\",\"thor\"],\"articleSection\":[\"Newsletter\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/\",\"name\":\"Log4Shell Detection with Nextron Rules - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2021-12-12T11:15:03+00:00\",\"dateModified\":\"2022-03-25T13:15:38+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Log4Shell Detection with Nextron Rules - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Log4Shell Detection with Nextron Rules","datePublished":"2021-12-12T11:15:03+00:00","dateModified":"2022-03-25T13:15:38+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/"},"wordCount":1264,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["CVE-2021-44228","Log4j","Log4Shell","thor"],"articleSection":["Newsletter","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/","url":"https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/","name":"Log4Shell Detection with Nextron Rules - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2021-12-12T11:15:03+00:00","dateModified":"2022-03-25T13:15:38+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2021\/12\/12\/log4shell-detection-with-thor\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/11451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=11451"}],"version-history":[{"count":21,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/11451\/revisions"}],"predecessor-version":[{"id":11535,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/11451\/revisions\/11535"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=11451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=11451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=11451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}