github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity

rule(Java Process Class Download): detect potential successful log4shell exploitation

Browse Source 
Signed-off-by: joon <pirxthepilot@users.noreply.github.com>
This commit is contained in:
joon 2022-06-05 18:00:33 -07:00 committed by poiana
parent 85f91a3ec4
commit 583ac4192c
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
rules/falco_rules.yaml
View File

@ -3178,6 +3178,18 @@
priority: CRITICAL priority: CRITICAL
tags: [container, mitre_privilege_escalation, mitre_lateral_movement] tags: [container, mitre_privilege_escalation, mitre_lateral_movement]
# Rule for detecting potential Log4Shell (CVE-2021-44228) exploitation
- macro: java_network_read
condition: (evt.type=recvfrom and fd.type in (ipv4, ipv6) and proc.name=java)
- rule: Java Process Class File Download
desc: Detected Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228)
condition: >
java_network_read and evt.buffer bcontains cafebabe
output: Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository)
priority: CRITICAL
tags: [mitre_initial_access]
# Application rules have moved to application_rules.yaml. Please look # Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to # there if you want to enable them by adding to
# falco_rules.local.yaml. # falco_rules.local.yaml.