""ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)""

SID: 2034699

Revision: 1

Class Type: attempted-admin

Metadata: attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application

Reference:

• cve

• 2021-44228

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: any

Flow: established,to_server

Contents:

• Value: "|24 7b|"

• Value: "|3a|"

• Value: "|24 7b|env|3a|AWS_ACCESS_KEY_ID"

Within:

PCRE: "/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a-n\x7d)/Ri"

Special Options:

source