Adding for review

2022-03-31 13:41:22 -07:00 · 2022-03-31 13:41:22 -07:00 · 3917c01be5
--- a/Queries/Syslog/Apache_log4j_Vulnerability.yaml
+++ b/Queries/Syslog/Apache_log4j_Vulnerability.yaml
@ -1,43 +1,50 @@
-id: 38cc38c3-bd6c-470e-ae1a-3136a9ded97f
-name: Possible exploitation of Apache log4j component detected
-description: |
-  'This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. 
-  Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.
-  For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description
-  Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431'
-requiredDataConnectors:
-  - connectorId: Syslog
-    dataTypes: 
-      - Syslog
-tactics:
-  - Persistence
-  - Execution
-relevantTechniques:
-  - T1059
-  - T1053
-tags:
-  - CVE-2021-44228
-query: |
-  Syslog
-  | where Facility == 'user'
-  | where SyslogMessage has "AUOMS_EXECVE"
-  | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds')
-  | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
-  | where EventType =~ "AUOMS_EXECVE"
-  | project TimeGenerated, EventType, Computer, EventData
-  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
-  | where comm has_any ("wget","curl")
-  | where cmdline has_any ("${jndi:ldap","${jndi:dns","${jndi:rmi","${jndi:corba","${jndi:iiop","${jndi:nis", "${jndi:nds")
-  | project TimeGenerated, Computer, audit_user, user, cmdline
-  | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated
-  | sort by TimeGenerated desc
-entityMappings: 
- entityType: Host
-  fieldMappings:
-    - identifier: FullName
-      columnName: HostCustomEntity
- entityType: Account
-  fieldMappings:
-    - identifier: FullName
-      columnName: AccountCustomEntity
-version: 1.0.0
+  id: 38cc38c3-bd6c-470e-ae1a-3136a9ded97f
+  name: Possible exploitation of Apache log4j component detected
+  description: |
+    'This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. 
+    Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.
+    For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description
+    Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431'
+  requiredDataConnectors:
+    - connectorId: Syslog
+      dataTypes: 
+        - Syslog
+  tactics:
+    - Persistence
+    - Execution
+  relevantTechniques:
+    - T1059
+    - T1053
+  tags:
+    - CVE-2021-44228
+  query: |
+  let log4j_execve=()
+  {
+    Syslog
+    | where SyslogMessage has "AUOMS_EXECVE"
+    | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds')
+    | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
+    | where EventType =~ "AUOMS_EXECVE"
+    | project TimeGenerated, EventType, Computer, EventData
+    | extend EventData = trim_end('containerid=',EventData)
+    | parse kind=regex EventData with * "success=" success " exit=" * "ppid=" ppid "pid=" pid
+    "audit_user=" audit_user "auid=" * "user=" user " uid=" uid " group=" * "comm=\"" comm "\" exe=\"" exe
+    "\"" * "cwd=\"" cwd "\" name=\"" name "\" (inode|nametype)=" * "(proctitle|cmdline)=" cmdline
+    | extend cmdline = trim_end('redactors=.*',cmdline)
+  };
+  log4j_execve
+    | where comm has_any ("wget","curl")
+    | where cmdline has_any ("${jndi:ldap","${jndi:dns","${jndi:rmi","${jndi:corba","${jndi:iiop","${jndi:nis", "${jndi:nds")
+    | project TimeGenerated, Computer, audit_user, user, cmdline
+    | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated
+    | sort by TimeGenerated desc
+  entityMappings: 
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  version: 1.0.1