OpenIOC rules to facilitate hunting for indicators of compromise# Overview
This repository contains OpenIOC rules to facilitate hunting for indicators of compromise related to the Apache Log4j 2 remote code execution vulnerability (CVE-2021-44228).
These rules are considered hunting rules and as such detection efficacy will vary by organization. With environment-specific tuning these rules may be suitable for deployment as alerting rules. The rules are organized into two categories:
* execution - IOCs that provide evidence that something *previously executed* on the system that may be related to this CVE such as suspicous network connections, URL requests, process exeuctions, and file writes
* presence - IOCs related to this CVE that provide evidence that an actively running process or file is present on the system
FireEye customers can refer to the FireEye Community (community.fireeye.com) for additional information on how FireEye products detect these threats.
These rules are provided freely to the community without warranty.
[4.0K] /data/pocs/fab630c2d204768dd136f9a98459ba93666f2477
├── [ 984] README.md
└── [4.0K] rules
├── [4.0K] execution
│ ├── [2.2K] 3e9cbdaf-1da4-4a55-b453-912d0a75e337.ioc
│ ├── [ 16K] 45c3e506-71bb-49eb-9157-efb81904d880.ioc
│ ├── [ 15K] 5e3cd7b3-4844-4fe5-8d08-2f71cad53c5c.ioc
│ ├── [9.1K] 61ca256a-1f03-40a4-a6c5-692d28a89699.ioc
│ ├── [4.8K] a7fb0010-d330-4628-a454-d196d62c5490.ioc
│ └── [ 16K] cd73767d-361f-4ccb-8898-6b9f3fb7402f.ioc
└── [4.0K] presence
├── [ 32K] 312597aa-77ba-4ab9-820c-72926115d3b8.ioc
├── [2.2K] 6a4bb38d-5232-4b2b-975a-955aab4c4b63.ioc
└── [2.2K] ae3b8c89-383e-451b-b1e0-f359dc359ea9.ioc
3 directories, 10 files