This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
796570686578
Collaborator
‎2021-12-14 01:27 AM

CVE-2021-44228 - Two .csv files of known malicious hosts ready for mgmt_cli import

I have created lists of hosts known to exploit CVE-2021-44228. These .csv files are ready for import to CheckPoint Management via mgmt_cli.

Link to csv files: https://github.com/rapbit0/log4shell

These lists are based on the following sources:

gnremy_hosts.csv : https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217#file-cve-2021-44228_ips-csv
blotus_hosts.csv : https://gist.github.com/blotus/f87ed46718bfdc634c9081110d243166#file-log4j_exploitation_attempts_cro...

The files are setup like the following:

name,ipv4-address,groups,color,tags
h_167.99.88.151_CVE-2021-44228,167.99.88.151,groupname,red,CVE-2021-44228_Log4J
h_167.99.44.32_CVE-2021-44228,167.99.44.32,groupname,red,CVE-2021-44228_Log4J
h_167.99.36.245_CVE-2021-44228,167.99.36.245,groupname,red,CVE-2021-44228_Log4J
h_167.71.4.81_CVE-2021-44228,167.71.4.81,groupname,red,CVE-2021-44228_Log4J

name: h_167.99.88.151_CVE-2021-44228 // consists of h_IPADDRESS_CVE-2021-44228
ipv4-address: IPv4Address
groups: groupname //The group you want to add the hosts to
color: red
tags: CVE-2021-44228_Log4J

How To:

  1. First create the Network Group you want to add the hosts to on your Management and publish the changes. You can also create the Group "groupname", and change the Group Name after the hosts have been added to the group. If you dont use "groupname" as a group, make sure to edit the .csv file!

  2. Run mgmt_cli your prefered way with the command "add host --batch filename.csv". See 3. if you are not sure how to use mgmt_cli

  3. Connect to your Management Server via ssh

  4. Copy blotus_hosts.csv & gnremy_hosts.csv to the management server (via sftp,scp, etc.)

  5. In expert mode run the command: dos2unix blotus_hosts.csv (dos2unix will convert the files from DOS line endings (carriage return + line feed) to Unix line endings (line feed). This is was necessary for me after editing the files in excel)

  6. In expert mode run the command: dos2unix gnremy_hosts.csv

  7. (For Single Domain)
    // login save 'session-id' into text file called id.txt
    mgmt_cli login user admin password vpn123 > id.txt

    // use the id.txt as a file from which the session-id (your token) is taken and perform add host command.
    mgmt_cli add host --batch blotus_hosts.csv -s id.txt
    mgmt_cli add host --batch gnremy_hosts.csv -s id.txt

    // publish and logout (again using the same session-id)
    mgmt_cli publish –s id.txt
    mgmt_cli logout –s id.txt

  8. (For Multi Domain)
    // login to domain named MyDomain and save 'session-id' into text file called id.txt. (you can use -d "MyDomain" as well)
    mgmt_cli login user admin password vpn123 domain "MyDomain" > id.txt

    // use the id.txt as a file from which the session-id (your token) is taken and perform add host command.
    mgmt_cli add host --batch blotus_hosts.csv -s id.txt
    mgmt_cli add host --batch gnremy_hosts.csv -s id.txt

    // publish and logout (again using the same session-id)
    mgmt_cli publish –s id.txt
    mgmt_cli logout –s id.txt

  9. (For the Lazy, single domain)
    mgmt_cli -r true add host --batch blotus_hosts.csv
    mgmt_cli -r true add host --batch gnremy_hosts.csv

  10. Alternative to publishing your session via CLI(mgmt_cli publish –s id.txt): Connect to Smart Console, goto Manage & Settings -> Sessions -> View Sessions -> Right Click on your Web API Session containing the changes -> Take Over the Session or publish.

  11. If you have used the default group "groupname", change the group to something else

 

If you have any issues, questions etc. feel free to ask! If there are any other lists of known IPs you would like to see, please let me know

0 Kudos
1 Reply
Cyber_Serge
Collaborator
‎2021-12-16 07:03 PM

Hi, thanks for sharing the list.

Did you look into Custom Intelligence Feeds (sk132193)? If you have the IP address in csv format already, it should be easier to import it as IOC following the sk. It'll save time so no need to create group and hosts.

I also found that instead of using cli to setup on each gateway, you can also import IOC using Smart Console. Then it will get pushed to the gateway it manages.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events