Log4Shell Vulnerability Detection with Anvilogic

‍

As the critically of high impacting remote code execution vulnerability for CVE-2021-44228, also known as “Log4Shell”, percolated through the security industry on Friday, December 10th, 2021, Anvilogic has been active in researching and producing detection content for our customers. The team tested and developed an initial detection focusing on the “jndi” request and made it available for deployment to all our customers that same morning.

Our team continues to identify patterns and update detection logic as new details emerge to ensure coverage of the evolving threat.

‍Need ready-to-deploy code, we got you with no strings attached, reach out and we'll provide you Splunk (SPL) detection logic, contact: detection.support@anvilogic.com

Anvilogic Customer Update

Since the initial logic release on Friday, December 10th, 2021, the Anvilogic team has actively tuned rule logic, researched exploit behaviors, and modified scenario detection logic to identify possible post-exploitation patterns. As the team continues to push new detection updates/opportunities, please continue to monitor communications via email and our customer Slack channel for additional updates.

Threat Detection Content

• Threat Scenarios:
• Common Log4Shell Payload
• Kinsing Behaviors
• Unix File Download, Modified, Executed

Applicable Use Case & Rules:

• Potential CVE-2021-44228 - Log4Shell
• Potential CVE-2021-44228 - Log4Shell (WAF)
• Potential CVE-2021-44228 - Log4Shell (Nix
• File Download (Unix)
• Modify File Attributes

Attack Flow

The complete attack chain of the log4j exploitation and specific areas of prevention is depicted by a graphic published by “GovCERT.ch.” Details of the exploit steps are as follows:

1. The attack begins with the attacker sending data to the server using any protocol.
2. Log4j logs the data transmitted from the attacker potentially containing the malicious payload.
3. Log4j interpolates the request through the Java Naming and Directory Interface (JNDI) lookup and queries the attacker’s payload delivery server.
4. The query returns a malicious remote java class file in the response.
5. The attacker can execute arbitrary code as this injected payload triggers a second stage.

‍

‍Threat Example

Attack flow to be abused by an attacker in a vulnerable code snippet provided by ShiftLeft contains all necessary conditions utilizing any endpoint protocol to send the exploit string and logging the request string in a log statement.

Detection Logic

As details of detection opportunities have surfaced for the vulnerability, the Anvilogic team has been continually updating our detection logic with applicable logging platforms being WAF and Unix. Specifically, for the WAF detection, we focused on the “jndi” string, constantly tuning the logic to detect the various combinations used in exploits and the different styles of obfuscation. In combination with our internal lab testing, the cybersecurity community’s intelligence and research helped us understand how threat actors are experimenting with the vulnerability. We incorporate valid techniques into our logic, such as what we observed from honeypots. Below is an example from Nozomi Networks of the delivery methods and obfuscation techniques.

Anvilogic Use Case Demonstration

In the below video, you can see a quick demo of the Anvilogic platform, and the features associated with our detection use case.

Threat Scenario

In addition to the detection use case, the Anvilogic platform focuses on threat sequences, a combination of malicious behaviors through creating a threat scenario that links several use cases together in a time-bound sequence. An observed script exploiting Log4Shell to deploy Kinsing malware was shared by Medium (below) that describes behaviors associated with the malware, initially downloading files, modifying attributes, stopping services, and so on. Of the individual behaviors listed, you could imagine a large volume of alerts triggered individually with those warning signals, as they are somewhat common system administrator’s activities. But the confidence of the activity being malicious increases when all three occur in sequence. The below execution sequence in the image from Medium is an example. Still, the concept applies to all aspects of detection as there are core behaviors patterns that highlight a security incident vs. a pure signature.

Anvilogic Threat Scenario Demonstration

We’ll demonstrate the Anvilogic platform of the threat scenario builder to show its flexibility and ease of use.

Closing

As organizations push to patch and mitigate, Anvilogic will be diligent in our efforts to actively research detection opportunities and threat examples to ensure unimpeded operations of our trusted clients. The threat of Log4Shell impacts technology on a large scale; however, the challenge isn’t something we at Anvilogic shy away from; we will continue to provide detection coverage for all applicable threats to our customers.

Get In Touch

While we touched on a sample of what Anvilogic can achieve for an organization, feel free to contact us for more information. We are sure we can provide additional value to your organization, including threat prioritizations, detection code development, enrichment, automation, and more. We can help you ensure your SOC operations are running at their most optimal level.

To gain better insight into our company value, check out our blog post “The Missing Link for Workflow Automation in the SOC”; let us show you how you can get there as well.

For more information on our product and service offerings, please contact us at: info@anvilogic.com.

‍References:

• Anvilogic: https://www.anvilogic.com/learn/the-missing-link-for-workflow-automation-in-the-soc
• GovCERT: https://govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
• Medium: https://medium.com/proferosec-osm/log4shell-massive-kinsing-deployment-9aea3cf1612d
• Nozomi Networks: https://www.nozominetworks.com/blog/critical-log4shell-apache-log4j-zero-day-attack-analysis/
• ShiftLeft: https://blog.shiftleft.io/log4shell-jndi-injection-via-attackable-log4j-6bfea2b4896e