digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-02-20 13:40:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

working in progress Log4J attack and forensics

Browse Source
This commit is contained in:
Frank Xu
2023-09-18 10:21:15 -04:00
parent eef36d8f31
commit 3403e8fe87
4 changed files with 271 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Log4JShell/1_Log4JShell_Attack.pptx Normal file
View File

Binary file not shown.

BIN
Log4JShell/JNDIExploit.v1.2.zip.gpg Normal file
View File

Binary file not shown.

173
Log4JShell/Log3shell_state_digram.svg Normal file
View File

@@ -0,0 +1,173 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><!-- Generated by graphviz version 2.40.1 (20161225.0304)
--><!-- Title: StateDiagram Pages: 1 --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="676pt" height="497pt" viewBox="0.00 0.00 676.00 496.80">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 492.8)">
<title>StateDiagram</title>
<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-492.8 672,-492.8 672,4 -4,4"/>
<g id="clust1" class="cluster">
<title>cluster_attacker</title>
<polygon fill="none" stroke="#ff0000" stroke-dasharray="1,5" points="8,-8 8,-444.8 330,-444.8 330,-8 8,-8"/>
<text text-anchor="middle" x="169" y="-428.2" font-family="Times,serif" font-size="14.00" fill="#000000">Attacker States</text>
</g>
<g id="clust2" class="cluster">
<title>cluster_victim</title>
<polygon fill="none" stroke="#0000ff" stroke-dasharray="1,5" points="338,-80 338,-444.8 660,-444.8 660,-80 338,-80"/>
<text text-anchor="middle" x="499" y="-428.2" font-family="Times,serif" font-size="14.00" fill="#000000">Victim States</text>
</g>
<!-- Attacker -->
<g id="node1" class="node">
<title>Attacker</title>
<polygon fill="none" stroke="#000000" points="160,-488.8 16,-488.8 16,-452.8 160,-452.8 160,-488.8"/>
<text text-anchor="middle" x="88" y="-467.2" font-family="Times,serif" font-size="12.00" fill="#000000">Attacker</text>
</g>
<!-- Identifying -->
<g id="node4" class="node">
<title>Identifying</title>
<polygon fill="none" stroke="#000000" points="160,-412 16,-412 16,-376 160,-376 160,-412"/>
<text text-anchor="middle" x="88" y="-390.4" font-family="Times,serif" font-size="12.00" fill="#000000">Identifying</text>
</g>
<!-- Attacker&#45;&gt;Identifying -->
<g id="edge1" class="edge">
<title>Attacker-&gt;Identifying</title>
<path fill="none" stroke="#000000" d="M88,-452.5995C88,-443.5132 88,-432.3176 88,-422.1549"/>
<polygon fill="#000000" stroke="#000000" points="91.5001,-422.0698 88,-412.0699 84.5001,-422.0699 91.5001,-422.0698"/>
</g>
<!-- Victim -->
<g id="node2" class="node">
<title>Victim</title>
<polygon fill="none" stroke="#000000" points="490,-488.8 346,-488.8 346,-452.8 490,-452.8 490,-488.8"/>
<text text-anchor="middle" x="418" y="-467.2" font-family="Times,serif" font-size="12.00" fill="#000000">Victim</text>
</g>
<!-- Vulnerable -->
<g id="node11" class="node">
<title>Vulnerable</title>
<polygon fill="none" stroke="#000000" points="490,-412 346,-412 346,-376 490,-376 490,-412"/>
<text text-anchor="middle" x="418" y="-390.4" font-family="Times,serif" font-size="12.00" fill="#000000">Vulnerable</text>
</g>
<!-- Victim&#45;&gt;Vulnerable -->
<g id="edge7" class="edge">
<title>Victim-&gt;Vulnerable</title>
<path fill="none" stroke="#000000" d="M418,-452.5995C418,-443.5132 418,-432.3176 418,-422.1549"/>
<polygon fill="#000000" stroke="#000000" points="421.5001,-422.0698 418,-412.0699 414.5001,-422.0699 421.5001,-422.0698"/>
</g>
<!-- Idle -->
<g id="node3" class="node">
<title>Idle</title>
<polygon fill="none" stroke="#000000" points="322,-412 178,-412 178,-376 322,-376 322,-412"/>
<text text-anchor="middle" x="250" y="-390.4" font-family="Times,serif" font-size="12.00" fill="#000000">Idle</text>
</g>
<!-- Exploiting -->
<g id="node5" class="node">
<title>Exploiting</title>
<polygon fill="none" stroke="#000000" points="160,-340 16,-340 16,-304 160,-304 160,-340"/>
<text text-anchor="middle" x="88" y="-318.4" font-family="Times,serif" font-size="12.00" fill="#000000">Exploiting</text>
</g>
<!-- Identifying&#45;&gt;Exploiting -->
<g id="edge2" class="edge">
<title>Identifying-&gt;Exploiting</title>
<path fill="none" stroke="#000000" d="M88,-375.8314C88,-368.131 88,-358.9743 88,-350.4166"/>
<polygon fill="#000000" stroke="#000000" points="91.5001,-350.4132 88,-340.4133 84.5001,-350.4133 91.5001,-350.4132"/>
</g>
<!-- Control -->
<g id="node6" class="node">
<title>Control</title>
<polygon fill="none" stroke="#000000" points="160,-268 16,-268 16,-232 160,-232 160,-268"/>
<text text-anchor="middle" x="88" y="-246.4" font-family="Times,serif" font-size="12.00" fill="#000000">Control</text>
</g>
<!-- Exploiting&#45;&gt;Control -->
<g id="edge3" class="edge">
<title>Exploiting-&gt;Control</title>
<path fill="none" stroke="#000000" d="M88,-303.8314C88,-296.131 88,-286.9743 88,-278.4166"/>
<polygon fill="#000000" stroke="#000000" points="91.5001,-278.4132 88,-268.4133 84.5001,-278.4133 91.5001,-278.4132"/>
</g>
<!-- PrivilegeEscalation -->
<g id="node7" class="node">
<title>PrivilegeEscalation</title>
<polygon fill="none" stroke="#000000" points="160,-196 16,-196 16,-160 160,-160 160,-196"/>
<text text-anchor="middle" x="88" y="-174.4" font-family="Times,serif" font-size="12.00" fill="#000000">PrivilegeEscalation</text>
</g>
<!-- Control&#45;&gt;PrivilegeEscalation -->
<g id="edge4" class="edge">
<title>Control-&gt;PrivilegeEscalation</title>
<path fill="none" stroke="#000000" d="M88,-231.8314C88,-224.131 88,-214.9743 88,-206.4166"/>
<polygon fill="#000000" stroke="#000000" points="91.5001,-206.4132 88,-196.4133 84.5001,-206.4133 91.5001,-206.4132"/>
</g>
<!-- Exfiltrating -->
<g id="node8" class="node">
<title>Exfiltrating</title>
<polygon fill="none" stroke="#000000" points="160,-124 16,-124 16,-88 160,-88 160,-124"/>
<text text-anchor="middle" x="88" y="-102.4" font-family="Times,serif" font-size="12.00" fill="#000000">Exfiltrating</text>
</g>
<!-- PrivilegeEscalation&#45;&gt;Exfiltrating -->
<g id="edge5" class="edge">
<title>PrivilegeEscalation-&gt;Exfiltrating</title>
<path fill="none" stroke="#000000" d="M88,-159.8314C88,-152.131 88,-142.9743 88,-134.4166"/>
<polygon fill="#000000" stroke="#000000" points="91.5001,-134.4132 88,-124.4133 84.5001,-134.4133 91.5001,-134.4132"/>
</g>
<!-- CoveringTracks -->
<g id="node9" class="node">
<title>CoveringTracks</title>
<polygon fill="none" stroke="#000000" points="160,-52 16,-52 16,-16 160,-16 160,-52"/>
<text text-anchor="middle" x="88" y="-30.4" font-family="Times,serif" font-size="12.00" fill="#000000">CoveringTracks</text>
</g>
<!-- Exfiltrating&#45;&gt;CoveringTracks -->
<g id="edge6" class="edge">
<title>Exfiltrating-&gt;CoveringTracks</title>
<path fill="none" stroke="#000000" d="M88,-87.8314C88,-80.131 88,-70.9743 88,-62.4166"/>
<polygon fill="#000000" stroke="#000000" points="91.5001,-62.4132 88,-52.4133 84.5001,-62.4133 91.5001,-62.4132"/>
</g>
<!-- NormalOperation -->
<g id="node10" class="node">
<title>NormalOperation</title>
<polygon fill="none" stroke="#000000" points="652,-412 508,-412 508,-376 652,-376 652,-412"/>
<text text-anchor="middle" x="580" y="-390.4" font-family="Times,serif" font-size="12.00" fill="#000000">NormalOperation</text>
</g>
<!-- Compromised -->
<g id="node12" class="node">
<title>Compromised</title>
<polygon fill="none" stroke="#000000" points="490,-340 346,-340 346,-304 490,-304 490,-340"/>
<text text-anchor="middle" x="418" y="-318.4" font-family="Times,serif" font-size="12.00" fill="#000000">Compromised</text>
</g>
<!-- Vulnerable&#45;&gt;Compromised -->
<g id="edge8" class="edge">
<title>Vulnerable-&gt;Compromised</title>
<path fill="none" stroke="#000000" d="M418,-375.8314C418,-368.131 418,-358.9743 418,-350.4166"/>
<polygon fill="#000000" stroke="#000000" points="421.5001,-350.4132 418,-340.4133 414.5001,-350.4133 421.5001,-350.4132"/>
</g>
<!-- ControlLoss -->
<g id="node13" class="node">
<title>ControlLoss</title>
<polygon fill="none" stroke="#000000" points="490,-268 346,-268 346,-232 490,-232 490,-268"/>
<text text-anchor="middle" x="418" y="-246.4" font-family="Times,serif" font-size="12.00" fill="#000000">ControlLoss</text>
</g>
<!-- Compromised&#45;&gt;ControlLoss -->
<g id="edge9" class="edge">
<title>Compromised-&gt;ControlLoss</title>
<path fill="none" stroke="#000000" d="M418,-303.8314C418,-296.131 418,-286.9743 418,-278.4166"/>
<polygon fill="#000000" stroke="#000000" points="421.5001,-278.4132 418,-268.4133 414.5001,-278.4133 421.5001,-278.4132"/>
</g>
<!-- Alert -->
<g id="node14" class="node">
<title>Alert</title>
<polygon fill="none" stroke="#000000" points="490,-196 346,-196 346,-160 490,-160 490,-196"/>
<text text-anchor="middle" x="418" y="-174.4" font-family="Times,serif" font-size="12.00" fill="#000000">Alert</text>
</g>
<!-- ControlLoss&#45;&gt;Alert -->
<g id="edge10" class="edge">
<title>ControlLoss-&gt;Alert</title>
<path fill="none" stroke="#000000" d="M418,-231.8314C418,-224.131 418,-214.9743 418,-206.4166"/>
<polygon fill="#000000" stroke="#000000" points="421.5001,-206.4132 418,-196.4133 414.5001,-206.4133 421.5001,-206.4132"/>
</g>
<!-- Recovery -->
<g id="node15" class="node">
<title>Recovery</title>
<polygon fill="none" stroke="#000000" points="490,-124 346,-124 346,-88 490,-88 490,-124"/>
<text text-anchor="middle" x="418" y="-102.4" font-family="Times,serif" font-size="12.00" fill="#000000">Recovery</text>
</g>
<!-- Alert&#45;&gt;Recovery -->
<g id="edge11" class="edge">
<title>Alert-&gt;Recovery</title>
<path fill="none" stroke="#000000" d="M418,-159.8314C418,-152.131 418,-142.9743 418,-134.4166"/>
<polygon fill="#000000" stroke="#000000" points="421.5001,-134.4132 418,-124.4133 414.5001,-134.4133 421.5001,-134.4132"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.1 KiB

98
Log4JShell/attack_steps.svg Normal file
View File

@@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><!-- Generated by graphviz version 2.40.1 (20161225.0304)
--><!-- Title: Log4ShellAttack Pages: 1 --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="989pt" height="123pt" viewBox="0.00 0.00 989.33 123.00">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 119)">
<title>Log4ShellAttack</title>
<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-119 985.3312,-119 985.3312,4 -4,4"/>
<g id="clust1" class="cluster">
<title>cluster_steps</title>
<polygon fill="none" stroke="#000000" stroke-dasharray="1,5" points="8,-8 8,-107 973.3312,-107 973.3312,-8 8,-8"/>
<text text-anchor="middle" x="490.6656" y="-90.4" font-family="Times,serif" font-size="14.00" fill="#000000">Log4Shell Attack Steps</text>
</g>
<!-- VulnerableSystem -->
<g id="node1" class="node">
<title>VulnerableSystem</title>
<polygon fill="none" stroke="#000000" points="138.8728,-65.6019 16.0424,-65.6019 16.0424,-24.3981 138.8728,-24.3981 138.8728,-65.6019"/>
<text text-anchor="middle" x="77.4576" y="-49.2" font-family="Times,serif" font-size="14.00" fill="#000000">1. Identify</text>
<text text-anchor="middle" x="77.4576" y="-32.4" font-family="Times,serif" font-size="14.00" fill="#000000">Vulnerable System</text>
</g>
<!-- ExploitVulnerability -->
<g id="node2" class="node">
<title>ExploitVulnerability</title>
<polygon fill="none" stroke="#000000" points="265.39,-65.6019 175.0898,-65.6019 175.0898,-24.3981 265.39,-24.3981 265.39,-65.6019"/>
<text text-anchor="middle" x="220.2399" y="-49.2" font-family="Times,serif" font-size="14.00" fill="#000000">2. Exploit</text>
<text text-anchor="middle" x="220.2399" y="-32.4" font-family="Times,serif" font-size="14.00" fill="#000000">Vulnerability</text>
</g>
<!-- VulnerableSystem&#45;&gt;ExploitVulnerability -->
<g id="edge1" class="edge">
<title>VulnerableSystem-&gt;ExploitVulnerability</title>
<path fill="none" stroke="#000000" d="M139.2536,-45C147.6265,-45 156.1788,-45 164.4384,-45"/>
<polygon fill="#000000" stroke="#000000" points="164.7085,-48.5001 174.7085,-45 164.7085,-41.5001 164.7085,-48.5001"/>
</g>
<!-- ProcessPayload -->
<g id="node3" class="node">
<title>ProcessPayload</title>
<polygon fill="none" stroke="#000000" points="421.9542,-65.6019 301.7676,-65.6019 301.7676,-24.3981 421.9542,-24.3981 421.9542,-65.6019"/>
<text text-anchor="middle" x="361.8609" y="-49.2" font-family="Times,serif" font-size="14.00" fill="#000000">3. Process</text>
<text text-anchor="middle" x="361.8609" y="-32.4" font-family="Times,serif" font-size="14.00" fill="#000000">Malicious Payload</text>
</g>
<!-- ExploitVulnerability&#45;&gt;ProcessPayload -->
<g id="edge2" class="edge">
<title>ExploitVulnerability-&gt;ProcessPayload</title>
<path fill="none" stroke="#000000" d="M265.439,-45C273.7908,-45 282.6919,-45 291.5819,-45"/>
<polygon fill="#000000" stroke="#000000" points="291.5843,-48.5001 301.5843,-45 291.5842,-41.5001 291.5843,-48.5001"/>
</g>
<!-- RemoteCodeExecution -->
<g id="node4" class="node">
<title>RemoteCodeExecution</title>
<polygon fill="none" stroke="#000000" points="564.5553,-65.6019 458.3573,-65.6019 458.3573,-24.3981 564.5553,-24.3981 564.5553,-65.6019"/>
<text text-anchor="middle" x="511.4563" y="-49.2" font-family="Times,serif" font-size="14.00" fill="#000000">4. Remote Code</text>
<text text-anchor="middle" x="511.4563" y="-32.4" font-family="Times,serif" font-size="14.00" fill="#000000">Execution</text>
</g>
<!-- ProcessPayload&#45;&gt;RemoteCodeExecution -->
<g id="edge3" class="edge">
<title>ProcessPayload-&gt;RemoteCodeExecution</title>
<path fill="none" stroke="#000000" d="M422.2759,-45C430.6928,-45 439.3622,-45 447.8359,-45"/>
<polygon fill="#000000" stroke="#000000" points="448.0446,-48.5001 458.0446,-45 448.0445,-41.5001 448.0446,-48.5001"/>
</g>
<!-- PrivilegeEscalation -->
<g id="node5" class="node">
<title>PrivilegeEscalation</title>
<polygon fill="none" stroke="#000000" points="681.073,-65.6019 600.982,-65.6019 600.982,-24.3981 681.073,-24.3981 681.073,-65.6019"/>
<text text-anchor="middle" x="641.0275" y="-49.2" font-family="Times,serif" font-size="14.00" fill="#000000">5. Privilege</text>
<text text-anchor="middle" x="641.0275" y="-32.4" font-family="Times,serif" font-size="14.00" fill="#000000">Escalation</text>
</g>
<!-- RemoteCodeExecution&#45;&gt;PrivilegeEscalation -->
<g id="edge4" class="edge">
<title>RemoteCodeExecution-&gt;PrivilegeEscalation</title>
<path fill="none" stroke="#000000" d="M564.9059,-45C573.4302,-45 582.2248,-45 590.6743,-45"/>
<polygon fill="#000000" stroke="#000000" points="590.7683,-48.5001 600.7683,-45 590.7683,-41.5001 590.7683,-48.5001"/>
</g>
<!-- ExfiltrationOrExploitation -->
<g id="node6" class="node">
<title>ExfiltrationOrExploitation</title>
<polygon fill="none" stroke="#000000" points="847.1934,-74.4014 717.335,-74.4014 717.335,-15.5986 847.1934,-15.5986 847.1934,-74.4014"/>
<text text-anchor="middle" x="782.2642" y="-57.6" font-family="Times,serif" font-size="14.00" fill="#000000">6. Data</text>
<text text-anchor="middle" x="782.2642" y="-40.8" font-family="Times,serif" font-size="14.00" fill="#000000">Exfiltration or</text>
<text text-anchor="middle" x="782.2642" y="-24" font-family="Times,serif" font-size="14.00" fill="#000000">Further Exploitation</text>
</g>
<!-- PrivilegeEscalation&#45;&gt;ExfiltrationOrExploitation -->
<g id="edge5" class="edge">
<title>PrivilegeEscalation-&gt;ExfiltrationOrExploitation</title>
<path fill="none" stroke="#000000" d="M681.1225,-45C689.2996,-45 698.1528,-45 707.1037,-45"/>
<polygon fill="#000000" stroke="#000000" points="707.2203,-48.5001 717.2202,-45 707.2202,-41.5001 707.2203,-48.5001"/>
</g>
<!-- CoveringTracks -->
<g id="node7" class="node">
<title>CoveringTracks</title>
<polygon fill="none" stroke="#000000" points="965.3825,-65.6019 883.1775,-65.6019 883.1775,-24.3981 965.3825,-24.3981 965.3825,-65.6019"/>
<text text-anchor="middle" x="924.28" y="-49.2" font-family="Times,serif" font-size="14.00" fill="#000000">7. Covering</text>
<text text-anchor="middle" x="924.28" y="-32.4" font-family="Times,serif" font-size="14.00" fill="#000000">Tracks</text>
</g>
<!-- ExfiltrationOrExploitation&#45;&gt;CoveringTracks -->
<g id="edge6" class="edge">
<title>ExfiltrationOrExploitation-&gt;CoveringTracks</title>
<path fill="none" stroke="#000000" d="M847.453,-45C855.9638,-45 864.5869,-45 872.8287,-45"/>
<polygon fill="#000000" stroke="#000000" points="873.0273,-48.5001 883.0273,-45 873.0273,-41.5001 873.0273,-48.5001"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 6.5 KiB