Skip to content

Commit

Permalink
fix: avoid Microsoft Defender detections
Browse files Browse the repository at this point in the history 
We keep the strings as specific as necessary while avoiding Microsoft Defender detections on the rule files
  • Loading branch information
@Neo23x0
Neo23x0 committed Feb 6, 2022
1 parent 6ce92b2 commit e2aa366
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 17 deletions.
8 changes: 4 additions & 4 deletions rules/web/web_cve_2021_44228_log4j.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ status: experimental
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
author: Florian Roth
date: 2021/12/10
modified: 2021/12/13
modified: 2022/02/06
references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
Expand Down Expand Up @@ -38,9 +38,9 @@ detection:
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
condition: keywords
falsepositives:
Expand Down
30 changes: 17 additions & 13 deletions rules/web/web_cve_2021_44228_log4j_fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ status: experimental
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
author: Florian Roth
date: 2021/12/10
modified: 2021/12/16
modified: 2022/02/06
references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
Expand Down Expand Up @@ -35,12 +35,13 @@ detection:
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
selection2:
user-agent|contains:
Expand All @@ -59,12 +60,13 @@ detection:
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
selection3:
cs-uri|contains:
Expand All @@ -83,12 +85,13 @@ detection:
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
selection4:
cs-referer|contains:
Expand All @@ -107,12 +110,13 @@ detection:
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//'
- '${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://'
- '${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
condition: 1 of selection*
falsepositives:
Expand Down

0 comments on commit e2aa366

Please sign in to comment.