Next, we going to start decoding the base64 strings.Īgain, press Ctrl + Arrow-Down to go end of column, and type the formula as below: Your Excel will look something like this: Then paste/ Ctrl + V to fill all column with string “ ASCII“. Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. After that, type in string “ ASCII” in one of the row and copy it ( Ctrl-C). Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. Let’s say you have 300 row of data in your Excel, then fill 300 of “ ASCII” strings besides it. We need to fill up column “ ASCII” with string “ ASCII” until end/bottom of your data. Then, create 2 new column in the Excel sheet column named “ ASCII” and “ Decoded Base64“: Paste macro code given above inside the editor:Īfter that, close the editor window. Create new macro – you can give any name you want. To use it, first, we need to open the Splunk result that we exported earlier.Īfter that, press Alt-F8 to open the macro editor. TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")įunction TextBase64Decode(strBase64, strCharset) With CreateObject("MSXML2.DOMDocument").createElement("tmp") The macro code that we’ll be using as below:įunction TextBase64Encode(strText, strCharset) MACRO) to automatically decode those base64 strings for us. So… We going to leverage Excel & macro (yes. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it. If you decode the base64 from the example of raw event above: KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g= The result after we export it from Splunk (opened in Excel) looks like: Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “ string“. I think this is the best and most reliable way to search that gives the least false positives and is especially useful when you use it as a saved search that runs every 5 minutes.19:27:20 X.X.X.X GET /owa/auth/logon.aspx url=https%3a%2f%2fX.X.X.X%2fowa%2f&reason=0&CorrelationID= &ClientId=AGS0JSW0AJIUEPWEVZ&cafeReqId=13016af6-7c1b-4e2f-b148-1cc2399d2b08 443 - X.X.X.X $ 200 0 0 0 | rename dest_ip AS All_st, dest_port AS All_st_port ] by _time span=1s All_Traffic.action All_st All_st_port All_Traffic.src All_Traffic.src_portĪnother method to look for jndi strings is to first "clean" the log with the earlier suggested macro and than look for jndi in the "cleaned" log. | eval dest_port=if(isnull(dest_port) OR len(dest_port)=0,"*",dest_port) Ipv6=if(ip_version="ipv6",jndi_domain,null()) It only looks for connections that where not blocked if you want everything remove the action!="blocked" part. The below query will first look in every non-internal index for the term jndi, it will than extract the destination domain and filter out the valid IP addresses. | table lastTime host log4j_version component version org_index org_sourcetypeįind connections back to the JNDI domains IP based JNDI connectionsįind connections in your firewall logs that try to make a connection to a IP address that was in the jndi string. | eval lastTime=strftime(lastTime,"%F %T") | stats values(log4j_version) AS log4j_version, values(component) AS component, values(version) AS version, max(_time) AS lastTime, values(index) AS org_index, values(sourcetype) AS org_sourcetype by host | rex field="CommandLine" max_match=0 "(?log4j(?!\.configuration|\.properties).*?\.jar)"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |