Update YARA definitions

Author: s-nix

yara.yar

@@ -20,28 +20,30 @@ rule EXPL_JNDI_Exploit_Patterns_Dec21_1 {
       date = "2021-12-12"
       score = 60
    strings:
-      $ = "/Basic/Command/Base64/"
-      $ = "/Basic/ReverseShell/"
-      $ = "/Basic/TomcatMemshell"
-      $ = "/Basic/JettyMemshell"
-      $ = "/Basic/WeblogicMemshell"
-      $ = "/Basic/JBossMemshell"
-      $ = "/Basic/WebsphereMemshell"
-      $ = "/Basic/SpringMemshell"
-      $ = "/Deserialization/URLDNS/"
-      $ = "/Deserialization/CommonsCollections1/Dnslog/"
-      $ = "/Deserialization/CommonsCollections2/Command/Base64/"
-      $ = "/Deserialization/CommonsBeanutils1/ReverseShell/"
-      $ = "/Deserialization/Jre8u20/TomcatMemshell"
-      $ = "/TomcatBypass/Dnslog/"
-      $ = "/TomcatBypass/Command/"
-      $ = "/TomcatBypass/ReverseShell/"
-      $ = "/TomcatBypass/TomcatMemshell"
-      $ = "/TomcatBypass/SpringMemshell"
-      $ = "/GroovyBypass/Command/"
-      $ = "/WebsphereBypass/Upload/"
+      $x01 = "/Basic/Command/Base64/"
+      $x02 = "/Basic/ReverseShell/"
+      $x03 = "/Basic/TomcatMemshell"
+      $x04 = "/Basic/JettyMemshell"
+      $x05 = "/Basic/WeblogicMemshell"
+      $x06 = "/Basic/JBossMemshell"
+      $x07 = "/Basic/WebsphereMemshell"
+      $x08 = "/Basic/SpringMemshell"
+      $x09 = "/Deserialization/URLDNS/"
+      $x10 = "/Deserialization/CommonsCollections1/Dnslog/"
+      $x11 = "/Deserialization/CommonsCollections2/Command/Base64/"
+      $x12 = "/Deserialization/CommonsBeanutils1/ReverseShell/"
+      $x13 = "/Deserialization/Jre8u20/TomcatMemshell"
+      $x14 = "/TomcatBypass/Dnslog/"
+      $x15 = "/TomcatBypass/Command/"
+      $x16 = "/TomcatBypass/ReverseShell/"
+      $x17 = "/TomcatBypass/TomcatMemshell"
+      $x18 = "/TomcatBypass/SpringMemshell"
+      $x19 = "/GroovyBypass/Command/"
+      $x20 = "/WebsphereBypass/Upload/"
+
+      $fp1 = "<html"
    condition:
-      1 of them
+      1 of ($x*) and not 1 of ($fp*)
 }
 
 rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
@@ -66,20 +68,24 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
       author = "Florian Roth"
       reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
       date = "2021-12-10"
-      modified = "2021-12-12"
+      modified = "2021-12-20"
       score = 60
+      type = "file"
    strings:
-      $ = "${jndi:ldap:/"
-      $ = "${jndi:rmi:/"
-      $ = "${jndi:ldaps:/"
-      $ = "${jndi:dns:/"
-      $ = "${jndi:iiop:/"
-      $ = "${jndi:http:/"
-      $ = "${jndi:nis:/"
-      $ = "${jndi:nds:/"
-      $ = "${jndi:corba:/"
+      $x01 = "${jndi:ldap:/"
+      $x02 = "${jndi:rmi:/"
+      $x03 = "${jndi:ldaps:/"
+      $x04 = "${jndi:dns:/"
+      $x05 = "${jndi:iiop:/"
+      $x06 = "${jndi:http:/"
+      $x07 = "${jndi:nis:/"
+      $x08 = "${jndi:nds:/"
+      $x09 = "${jndi:corba:/"
+
+      $fp1 = "<html"
+      $fp2 = "/nessus}"
    condition:
-      1 of them
+      1 of ($x*) and not 1 of ($fp*)
 }
 
 rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
@@ -88,6 +94,7 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
       author = "Florian Roth"
       reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
       date = "2021-12-12"
+      modified = "2021-12-13"
       score = 60
    strings:
       $x1 = "$%7Bjndi:"
@@ -98,8 +105,10 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
       $x6 = "${${env:BARFOO:-j}"
       $x7 = "${::-l}${::-d}${::-a}${::-p}"
       $x8 = "${base64:JHtqbmRp"
+
+      $fp1 = "<html"
    condition:
-      1 of them
+      1 of ($x*) and not 1 of ($fp*)
 }
 
 rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
@@ -112,9 +121,10 @@ rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
       score = 80
    strings:
       $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
+      $x2 = "Reference Class Name: foo"
       $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
    condition:
-      $x1 and not 1 of ($fp*)
+      1 of ($x*) and not 1 of ($fp*)
 }
 
 rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
@@ -123,6 +133,7 @@ rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
       author = "Florian Roth"
       reference = "https://twitter.com/Reelix/status/1469327487243071493"
       date = "2021-12-10"
+      modified = "2021-12-13"
       score = 70
    strings:
       /* curl -s  */
@@ -133,8 +144,11 @@ rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
       $sb1 = "fHdnZXQgLXEgLU8tI"
       $sb2 = "x3Z2V0IC1xIC1PLS"
       $sb3 = "8d2dldCAtcSAtTy0g"
+
+      $fp1 = "<html"
    condition:
       1 of ($sa*) and 1 of ($sb*)
+      and not 1 of ($fp*)
 }
 
 rule SUSP_JDNIExploit_Indicators_Dec21 {
@@ -160,16 +174,34 @@ rule SUSP_EXPL_OBFUSC_Dec21_1{
       score = 60
    strings:
       /* ${lower:X} - single character match */
-      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
+      $x1 = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
       /* ${upper:X} - single character match */
-      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
+      $x2 = { 24 7B 75 70 70 65 72 3A ?? 7D }
       /* URL encoded lower - obfuscation in URL */
-      $ = "$%7blower:"
-      $ = "$%7bupper:"
-      $ = "%24%7bjndi:"
-      $ = "$%7Blower:"
-      $ = "$%7Bupper:"
-      $ = "%24%7Bjndi:"
+      $x3 = "$%7blower:"
+      $x4 = "$%7bupper:"
+      $x5 = "%24%7bjndi:"
+      $x6 = "$%7Blower:"
+      $x7 = "$%7Bupper:"
+      $x8 = "%24%7Bjndi:"
+
+      $fp1 = "<html"
+   condition:
+      1 of ($x*) and not 1 of ($fp*)
+}
+
+rule SUSP_JDNIExploit_Error_Indicators_Dec21_1 {
+   meta:
+      description = "Detects error messages related to JDNI usage in log files that can indicate a Log4Shell / Log4j exploitation"
+      author = "Florian Roth"
+      reference = "https://twitter.com/marcioalm/status/1470361495405875200?s=20"
+      date = "2021-12-10"
+      modified = "2021-12-17"
+      score = 70
+   strings:
+      $x1 = "FATAL log4j - Message: BadAttributeValueException: "
+      $x2 = "Error looking up JNDI resource"
    condition:
       1 of them
 }
+