Detecting and responding to Apache “Log4j 2” using Google Chronicle

Raw Log Search

We recommend customers use Chronicle to search for historical exploit attempts. We can use the platform to search for relevant attack substrings “jndi” across your enterprise using both UDM Structured Query and Raw Log Scan + Regular Expressions (RegEx). You can also try different regex variations of jndi..

Historical Raw Log Search Across The Enterprise

Detection Rules

Chronicle uses its UDM to normalize log data, making it possible to search for indicators and TTPs in fewer steps. The following two rules are powerful examples of this. Many sources have flagged attackers using the user agents, urls, and referral urls to encode malicious JNDI urls. One of the most critical indicators to search for is to check for process execution using JNDI strings in your search. This process launch data is consumed from a majority of EDRs today, and Chronicle can look for process execution with the relevant strings (even cross platform operating systems, if it can be captured in a regular expression).

rule cve_2021_44228_execution {meta:tactic = “TA0002”description = “Identifies process execution using JNDI strings.”events:$event.metadata.event_type = “PROCESS_LAUNCH”$event.target.process.command_line = /.*\$\{jndi\:(ldap|rmi|ldaps|dns)\:.*\}.*/ nocase$event.principal.hostname = $hostnamecondition:$event}
rule cve_2021_44228_http {meta:tactic = "TA0002"technique = "T1059"description = "Identifies JNDI strings in network user agents or URIs."reference = "https://www.lunasec.io/docs/blog/log4j-zero-day/"events:$event.metadata.event_type = "NETWORK_HTTP"($event.network.http.user_agent = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.network.http.referral_url = "({jndi:.*}|{env:.*}|:j}.*{)" or
$event.target.url = "({jndi:.*}|{env:.*}|:j}.*{)")condition:$event}

Identify Low Prevalence Events

An attacker could exploit this vulnerability by sending a specially crafted request to a server running a vulnerable version of log4j 2. This can lead to further compromise by having assets in your environment beacon out to malicious servers.

Low prevalence destination Investigation in Chronicle

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store