Escaping special characters to search for latest log4j exploit payload

Hi all,

Would anyone have ideas how to search for the latest log4j DOS exploit, example payload: "${${::-${::-$${::-j}}}}"? We are having trouble escaping the characters in a KQL search however open to a EQL search across all indices as well if that would work better.

Here is a blog post for detecting log4j exploit with elastic security Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security | Elastic Blog

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.