From 242636924ef8449bebc5592925f36413f0129ebc Mon Sep 17 00:00:00 2001 From: Samik Roy Date: Fri, 7 Jan 2022 23:31:06 +0530 Subject: [PATCH] Updating as per #3826 Updating as per #3826 --- .../Package/mainTemplate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json index 8125dc1ae54..2c21251aae6 100644 --- a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json +++ b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json @@ -279,7 +279,7 @@ "eTag": "*", "displayName": "Azure WAF Log4j CVE-2021-44228 hunting", "category": "Hunting Queries", - "query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\nAzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n//The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\n| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex '\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]' or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex '\\\\$\\\\{j\\\\$\\\\{::-\\\\}n\\\\$\\\\{::-\\\\}d\\\\$\\\\{::-\\\\}[a-zA-Z]'\n| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\n| extend CmdLine = base64_decode_tostring(tostring(CmdLine))\n| where CmdLine has_any (\"wget\",\"curl\")\n| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category\n| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated\n", + "query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\nlet log4jRegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\nAzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n//Extending the columns to aviod failures.\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\nuserAgent_s = column_ifexists(\"userAgent_s\", \"\"),\nclientIP_s = column_ifexists(\"clientIP_s\", \"\"),\nclientPort_d = column_ifexists(\"originalRequestUriWithArgs_s\", \"\"),\nhost_s = column_ifexists(\"host_s\", \"\"),\nrequestUri_s = column_ifexists(\"requestUri_s\", \"\"),\nhttpStatus_d = column_ifexists(\"httpStatus_d\",\"\"),\nlistenerName_s = column_ifexists(\"listenerName_s\", \"\"),\nhttpMethod_s = column_ifexists(\"httpMethod_s\", \"\")\n//The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\n| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex log4jRegex\n| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\n| extend CmdLine = base64_decode_tostring(tostring(CmdLine))\n| where CmdLine has_any (\"wget\",\"curl\")\n| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category\n| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated\n", "version": 1, "tags": [ {