Log4Shell CVE-2021-44228

Try in Splunk Security Cloud

Description

Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Endpoint_Processes, Network_Traffic, Risk, Web
• Last Updated: 2021-12-11
• Author: Jose Hernandez
• ID: b4453928-5a98-11ec-afcd-8de10b48fc52

Narrative

In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called “A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land”. Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.

Detections

Name	Technique	Type
Any Powershell DownloadFile	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Curl Download and Bash Execution	Ingress Tool Transfer	TTP
Detect Outbound LDAP Traffic	Exploit Public-Facing Application, Command and Scripting Interpreter	Hunting
Hunting for Log4Shell	Exploit Public-Facing Application	Hunting
Java Class File download by Java User Agent	Exploit Public-Facing Application	TTP
Linux Java Spawning Shell	Exploit Public-Facing Application	TTP
Log4Shell CVE-2021-44228 Exploitation	Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter	Correlation
Log4Shell JNDI Payload Injection Attempt	Exploit Public-Facing Application	Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection	Exploit Public-Facing Application	Anomaly
Outbound Network Connection from Java Using Default Ports	Exploit Public-Facing Application	TTP
PowerShell - Connect To Internet With Hidden Window	PowerShell, Command and Scripting Interpreter	Hunting
Wget Download and Bash Execution	Ingress Tool Transfer	TTP
Windows Java Spawning Shells	Exploit Public-Facing Application	TTP
Windows Powershell Connect to Internet With Hidden Window	Automated Exfiltration	Anomaly
Windows Powershell DownloadFile	Automated Exfiltration	Anomaly

Reference

• https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
• https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j
• https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
• https://www.lunasec.io/docs/blog/log4j-zero-day/
• https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html

source | version: 1