signature-base
log4shell-tool
Our great sponsors
| signature-base | log4shell-tool | |
|---|---|---|
| 12 | 4 | |
| 2,329 | 15 | |
| - | - | |
| 9.2 | 0.0 | |
| 8 days ago | 10 months ago | |
| YARA | ||
| GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
signature-base
-
Xzbot: Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
> It doesn't matter.
To understand the exact behavior and extend of the backdoor, this does matter. An end to end proof of how it works is exactly what was needed.
> A way to check if servers are vulnerable is probably by querying the package manager
Yes, this has been know since the initial report + later discovering what exact strings are present for the payload.
https://github.com/Neo23x0/signature-base/blob/master/yara/b...
> Not very sophisticated, but it'll work.
Unfortunately, we live in a world with closed-servers and appliances - being able as a customer or pen tester rule out certain class of security issues without having the source/insights available is usually desirable.
- Exploit Outlook CVE-2023-23397 Yara - to detect .msg files exploiting CVE-2023-23397 in Microsoft Outlook
- OneNote Yara rule
-
New Exchange Zero Day rumours [29th September]
* Run the following YARA rules over your logs and aspx files in INSTALL_DIRECTORY/Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\ https://github.com/Neo23x0/signature-base/blob/master/yara/expl_proxyshell.yar
-
Nvidia Breach
If you have a Yara detection platform, Florian Roth’s rules should detect executables signed with this. https://github.com/Neo23x0/signature-base/blob/master/yara/gen_nvidia_leaked_cert.yar.
-
Evidence of a log4j attack found - Now what?
Uses these YARA rules to read JAR, LOG, and TXT files on the system, throwing warnings if any log4shell-looking payloads are found based on those various rules.
- Yara rule to detect ProxyToken exploitation
-
APT29 / NOBELIUM VirusTotal retro hunt results using 12 newly release Yara rules
Rules https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt29_nobelium_may21.yar
- What are the best FOSS YARA rules you would recommend to deploy?
log4shell-tool
- Lacerte Tax - Log4j
-
Evidence of a log4j attack found - Now what?
Start with confirming that an incident took place. My five-minute understanding of Datto's ComStore log4shell tool is that it does two things:
- Log4j PDQ scan profile
-
Automating with PowerShell: Detecting Log4j
For an in-depth explanation of what variables are required, please check the 'Usage' section of the readme viewable at https://github.com/datto/log4shell-tool. This explains the three variables that need to be set and what values to set them to.
What are some alternatives?
malware-ioc - Indicators of Compromises (IOC) of our various investigations
Get-log4j-Windows.ps1 - Identifying all log4j components across all windows servers, entire domain, can be multi domain. CVE-2021-44228
Loki - Loki - Simple IOC and YARA Scanner
CIPP - CIPP is a M365 multitenant management solution
awesome-yara - A curated list of awesome YARA rules, tools, and people.
incidentresponse
ThreatHunting - Tools for hunting for threats.
PowerShellSnippets
reversinglabs-yara-rules - ReversingLabs YARA Rules
CVE-2021-44228-Log4Shell-Hashes - Hashes for vulnerable LOG4J versions
audit-node-modules-with-yara - Audit Node Module folder with YARA rules to identify possible malicious packages hiding in node_moudles
Log4Shell-Automated - This is an automated script to scan for Log4J vulnerabilities. This is based off of the Datto script.