rule Linux_Exploit_Log4j_7fc4d480 { meta: author = "Elastic Security" id = "7fc4d480-5354-4b0b-93ee-2937ddd1565c" fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159" creation_date = "2021-12-13" last_modified = "2022-01-26" threat_name = "Linux.Exploit.Log4j" reference = "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $jndi1 = "jndi.ldap.LdapCtx.c_lookup" $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup" $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup" $exp1 = "Basic/Command/Base64/" $exp2 = "java.lang.ClassCastException: Exploit" $exp3 = "WEB-INF/classes/Exploit" $exp4 = "Exploit.java" condition: 2 of ($jndi*) and 1 of ($exp*) }