A few false positives are better then not detecting anything at all. It is better to get automated detection setup now and refine it later. Add this query to the Splunk automated alerts.Convert hostnames in the log4j payloads to IP addresses.Tighten the Splunk zeek_conn.log query to only include connection flags of successful connections.The log4j detection within Zeek, does not capture SSL encrypted connections. Include additional log sources, such a web servers, load balancers, etc.There are a number of way to improve detection. In this playbook, the risk from exploited hosts can be mitigated by optionally deleting malicious files from the hosts, blocking outbound network connections from the hosts, and/or shutting down the hosts. This is a quick and dirty demonstration of Zeek and Splunk’s ability to reliably find exploited hosts reaching out to servers hosting malicious log4j payloads. Splunk logging for Java enables you to log events to HTTP Event Collector or to a TCP input on a Splunk Enterprise instance within your Java applications. Published in response to CVE-2021-44228, this playbook is meant to be launched after log4jinvestigate. index=zeek sourcetype=zeek_conn Īny results to this query indicate a device on the local network is reaching out to a server hosting malicious log4j payloads: Once the target hosts are identified, another query is made to the zeek_conn.log to find any instances where local devices reached out the payload host. Again, these are the hosts a compromised device will contact to download the malicious payload. The following query will first subsearch the zeek_log4j.log to find all the unique instances of log4j payload hosts. I am running the wget command on a host performing the commands necessary to compromise the target and communicate with a host where the malicious payload is hosted. To generate testing data in this lab environment. Please wait, as this may take a few minutes. In this case, the syntax and semantics are the same as in log4j: import /opt/splunkforwarder/bin/splunk restartĮxample output: sudo /opt/splunkforwarder/bin/splunk restart Public class Log4JTransferService extends TransferService. Let's create the service implementation: import Log4Shell vulnerability in the popular Apache Log4j 2 is a critical zero-day vulnerability. If you are an Splunk Enterprise Security customer interested in similar functionality through Splunk Threat Intelligence Management, see the following page: Using Threat Intelligence Management. We're going to leverage beforeTransfer() and afterTransfer() to log some information about the transfer. Splunk Intel Management (Legacy) has reached end of sale. The beforeTransfer() and afterTransfer() methods can be overridden to run custom code right before and right after the transfer completes. Required data How to use Splunk software for this use case Next steps A serious vulnerability (CVE-2021-44228) in the popular open source Apache Log4j logging library poses a threat to thousands of applications and third-party services that leverage this library, allowing attackers to execute arbitrary code from an external source. connects to the remote service to actually transfer moneyĪbstract protected void beforeTransfer(long amount) Ībstract protected void afterTransfer(long amount, boolean outcome)
0 Comments
Leave a Reply. |