{ "id": "73a4437c-e6f7-4ec8-b36c-fda4ebc9afc6", "created_at": "2026-04-06T00:08:02.948964Z", "updated_at": "2026-04-10T13:12:43.914515Z", "deleted_at": null, "sha1_hash": "495f96932966ef043a6b8ef54731ac6eec7bd692", "title": "Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3997810, "plain_text": "Guidance for preventing, detecting, and hunting for exploitation of\r\nthe Log4j 2 vulnerability | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-12-12 · Archived: 2026-04-05 14:30:36 UTC\r\nJanuary 10, 2022 recap – The Log4j vulnerabilities represent a complex and high-risk situation for companies\r\nacross the globe. This open-source component is widely used across many suppliers’ software and services. By\r\nnature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries,\r\nbut also any services that use these applications, so customers may not readily know how widespread the issue is\r\nin their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and\r\nimpact. Microsoft has observed attackers using many of the same inventory techniques to locate targets.\r\nSophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking\r\nadvantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.\r\nIn January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems,\r\neventually deploying ransomware. We have observed many existing attackers adding exploits of these\r\nvulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.\r\nOrganizations may not realize their environments may already be compromised. Microsoft recommends\r\ncustomers to do additional review of devices where vulnerable installations are discovered.  At this juncture,\r\ncustomers should assume broad availability of exploit code and scanning capabilities to be a real and present\r\ndanger to their environments. Due to the many software and services that are impacted and given the pace of\r\nupdates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.\r\nJanuary 19, 2022 update – We added new information about an unrelated vulnerability we discovered while\r\ninvestigating Log4j attacks.\r\nJanuary 21, 2022 update – Threat and vulnerability management can now discover vulnerable Log4j libraries,\r\nincluding Log4j files and other files containing Log4j, packaged into Uber-JAR files.\r\nThe remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as “Log4Shell” (CVE-2021-\r\n44228, CVE-2021-45046, CVE-2021-44832) has presented a new attack vector and gained broad attention due to\r\nits severity and potential for widespread exploitation. The majority of attacks we have observed so far have been\r\nmainly mass-scanning, coin mining, establishing remote shells, and red-team activity, but it’s highly likely that\r\nattackers will continue adding exploits for these vulnerabilities to their toolkits.\r\nWith nation-state actors testing and implementing the exploit and known ransomware-associated access brokers\r\nusing it, we highly recommend applying security patches and updating affected products and services as soon as\r\npossible. Refer to the Microsoft Security Response Center blog for technical information about the vulnerabilities\r\nand mitigation recommendations.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 1 of 34\n\nMeanwhile, defenders need to be diligent in detecting, hunting for, and investigating related threats. This blog\r\nreports our observations and analysis of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides\r\nour recommendations for using Microsoft security solutions to (1) find and remediate vulnerable services and\r\nsystems and (2) detect, investigate, and respond to attacks.\r\nThis blog covers the following topics:\r\n1. Attack vectors and observed activity\r\n2. Finding and remediating vulnerable apps and systems\r\nThreat and vulnerability management\r\nDiscovering affected components, software, and devices via a unified Log4j dashboard\r\nApplying mitigation directly in the Microsoft 365 Defender portal\r\nMicrosoft 365 Defender advanced hunting\r\nMicrosoft Defender for Cloud\r\nMicrosoft Defender for servers\r\nMicrosoft Defender for Containers\r\nMicrosoft Sentinel queries\r\nRiskIQ EASM and Threat Intelligence\r\n3. Detecting and responding to exploitation attempts and other related attacker activity\r\nMicrosoft 365 Defender\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Cloud Apps\r\nMicrosoft Defender for Office 365\r\nMicrosoft 365 Defender advanced hunting\r\nMicrosoft Defender for Cloud\r\nMicrosoft Defender for IoT\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel queries\r\nAzure Firewall Premium\r\nAzure Web Application Firewall (WAF)\r\n4. Indicators of compromise (IoCs)\r\nAttack vectors and observed activity\r\nMicrosoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC),\r\nMicrosoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team\r\n(DART), among others, have been tracking threats taking advantage of the remote code execution (RCE)\r\nvulnerabilities in Apache Log4j 2 referred to as “Log4Shell”.\r\nThe bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers\r\nattempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An\r\nexample pattern of attack would appear in a web request log with strings like the following:\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 2 of 34\n\nAn attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages\r\nJNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to\r\nreach out to the site and execute the payload.  In many observed attacks, the attacker-owned parameter is a DNS\r\nlogging system, intended to log a request to the site to fingerprint the vulnerable systems.\r\nThe specially crafted string that enables exploitation of the vulnerabilities can be identified through several\r\ncomponents. The string contains “jndi”, which refers to the Java Naming and Directory Interface. Following this,\r\nthe protocol, such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, precedes the attacker domain.\r\nAs security teams work to detect the exploitation, attackers have added obfuscation to these requests to evade\r\ndetections based on request patterns. We’ve seen things like running a lower or upper command within the\r\nexploitation string and even more complicated obfuscation attempts, such as the following, that are all trying to\r\nbypass string-matching detections:\r\nThe vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have\r\nalso been observed. Based on the nature of the vulnerabilities, once the attacker has full access and control of an\r\napplication, they can perform a myriad of objectives. Microsoft has observed activities including installing coin\r\nminers, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from\r\ncompromised systems.\r\nExploitation continues on non-Microsoft hosted Minecraft servers\r\nMinecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon\r\nas possible to protect their users. More information can be found here: https://aka.ms/mclog.\r\nMicrosoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender. In Microsoft Defender Antivirus data we have observed a small number\r\nof cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers\r\nrunning a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.\r\nIn these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits\r\nCVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 3 of 34\n\nvulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari\r\nransomware, which is then executed in the context of javaw.exe to ransom the device.\r\nWhile it’s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving\r\nan actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. These\r\ntechniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft\r\nhas not observed any follow-on activity from this campaign at this time, indicating that the attacker may be\r\ngathering access for later use.\r\nDue to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their\r\nown servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to\r\ntrusted Minecraft servers.\r\nNation-state activity\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy\r\naligned around the theme of weather. To learn more about this evolution, how the new taxonomy\r\nrepresents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor\r\nnames, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nMSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity\r\ngroups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during\r\ndevelopment, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets\r\nto achieve the actor’s objectives.\r\nFor example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy ransomware, acquiring and\r\nmaking modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these\r\nmodifications.\r\nIn addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability\r\nto attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated\r\nsystems were observed using a DNS service typically associated with testing activity to fingerprint systems.\r\nAccess brokers associated with ransomware\r\nMSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as\r\naccess brokers have begun using the vulnerability to gain initial access to target networks. These access brokers\r\nthen sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups\r\nattempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated\r\nransomware impact on both of these operating system platforms.\r\nMass scanning activity continues\r\nThe vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security\r\nresearchers. Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 4 of 34\n\ncampaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity\r\ndeploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and\r\nexploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap://\r\nrequest to launch bash commands on Linux and PowerShell on Windows.\r\nMicrosoft has also continued to observe malicious activity performing data leakage via the vulnerability without\r\ndropping a payload. This attack scenario could be especially impactful against network devices that have SSL\r\ntermination, where the actor could leak secrets and data.\r\nAdditional RAT payloads\r\nWe’ve observed the dropping of additional remote access toolkits and reverse shells via exploitation of CVE-2021-44228, which actors then use for hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell\r\nreverse shells seen in earlier reports, we’ve also seen Meterpreter, Bladabindi, and HabitsRAT. Follow-on\r\nactivities from these shells have not been observed at this time, but these tools have the ability to steal passwords\r\nand move laterally.\r\nThis activity is split between a percentage of small-scale campaigns that may be more targeted or related to\r\ntesting, and the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop\r\nremote access tools. In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior\r\ncampaigns.\r\nWebtoos\r\nThe Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform\r\nadditional activities. As reported by RiskIQ, Microsoft has seen Webtoos being deployed via the vulnerability.\r\nAttackers’ use of this malware or intent is not known at this time, but the campaign and infrastructure have been in\r\nuse and have been targeting both Linux and Windows systems prior to this vulnerability.\r\nA note on testing services and assumed benign activity\r\nWhile services such as interact.sh, canarytokens.org, burpsuite, and dnslog.cn may be used by IT organizations to\r\nprofile their own threat footprints, Microsoft encourages including these services in your hunting queries and\r\nvalidating observations of these in environments to ensure they are intentional and legitimate activity.\r\nExploitation in internet-facing systems leads to ransomware\r\nAs early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems\r\nrunning VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the\r\ndeployment of the NightSky ransomware.\r\nThese attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401. DEV-0401\r\nhas previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly\r\nexploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers\r\n(CVE-2021-34473).\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 5 of 34\n\nBased on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains.\r\nThese include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga,\r\napicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.\r\nAttackers propagating Log4j attacks via previously undisclosed vulnerability\r\nDuring our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity\r\nrelated to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software.\r\nWe discovered that the vulnerability, now tracked as CVE-2021-35247, is an input validation vulnerability that\r\ncould allow attackers to build a query given some input and send that query over the network without sanitation.\r\nWe reported our discovery to SolarWinds, and we’d like to thank their teams for immediately investigating and\r\nworking to remediate the vulnerability. We strongly recommend affected customers to apply security updates\r\nreleased by referring to the SolarWinds advisory here: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247.\r\nMicrosoft customers can use threat and vulnerability management in Microsoft Defender for Endpoint to identify\r\nand remediate devices that have this vulnerability. In addition, Microsoft Defender Antivirus and Microsoft\r\nDefender for Endpoint detect malicious behavior related to the observed activity.\r\nFinding and remediating vulnerable apps and systems\r\nThreat and vulnerability management\r\nThreat and vulnerability management capabilities in Microsoft Defender for Endpoint monitor an organization’s\r\noverall security posture and equip customers with real-time insights into organizational risk through continuous\r\nvulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities.\r\nDiscovering affected components, software, and devices via a unified Log4j dashboard\r\nThreat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j\r\nvulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate. Microsoft\r\ncontinues to iterate on these features based on the latest information from the threat landscape. This section will be\r\nupdated as those new features become available for customers.\r\nThe wide use of Log4j across many supplier’s products challenge defender teams to mitigate and address the risks\r\nposed by the vulnerabilities (CVE-2021-44228 or CVE-2021-45046).  The threat and vulnerability management\r\ncapabilities within Microsoft 365 Defender can help identify vulnerable installations. On December 15, we began\r\nrolling out updates to provide a consolidated view of the organizational exposure to the Log4j 2 vulnerabilities—\r\non the device, software, and vulnerable component level—through a range of automated, complementing\r\ncapabilities. These capabilities are supported on Windows 10, Windows 11, and Windows Server 2008, 2012, and\r\n2016. They are also supported on Linux, but they require updating the Microsoft Defender for Endpoint Linux\r\nclient to version 101.52.57 (30.121092.15257.0) or later. The updates include the following:\r\nDiscovery of vulnerable Log4j library components (paths) on devices\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 6 of 34\n\nDiscovery of vulnerable installed applications that contain the Log4j library on devices\r\nA dedicated Log4j dashboard that provides a consolidated view of various findings across vulnerable\r\ndevices, vulnerable software, and vulnerable files\r\nIntroduction of a new schema in advanced hunting, DeviceTvmSoftwareEvidenceBeta, which surfaces\r\nfile-level findings from the disk and provides the ability to correlate them with additional context in\r\nadvanced hunting:\r\nDeviceTvmSoftwareEvidenceBeta\r\n| mv-expand DiskPaths\r\n| where DiskPaths contains \"log4j\"\r\n| project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths\r\nTo complement this new table, the existing DeviceTvmSoftwareVulnerabilities table in advanced hunting can be\r\nused to identify vulnerabilities in installed software on devices:\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId in (\"CVE-2021-44228\", \"CVE-2021-45046\")\r\nThese capabilities integrate with the existing threat and vulnerability management experience and are gradually\r\nrolling out. As of December 27, 2021, discovery is based on installed application CPEs that are known to be\r\nvulnerable to Log4j RCE, as well as the presence of vulnerable Log4j Java Archive (JAR) files.\r\nAs of January 20, 2022, threat and vulnerability management can discover vulnerable Log4j libraries, including\r\nLog4j files and other files containing Log4j, packaged into Uber-JAR files. This capability is supported on\r\nWindows 10, Windows 11, Windows Server 2019, and Windows Server 2022. It is also supported on Windows\r\nServer 2012 R2 and Windows Server 2016 using the Microsoft Defender for Endpoint solution for earlier\r\nWindows server versions.\r\nThreat and vulnerability management provides layers of detection to help customers discover and mitigate\r\nvulnerable Log4j components. Specifically, it:\r\n1. determines if a JAR file contains a vulnerable Log4j file by examining JAR files and searching for the\r\nfollowing file: META-INFmavenorg.apache.logging.log4jlog4j-corepom.properties; if the said file exists,\r\nthe Log4j version is read and extracted \r\n2. searches for the JndiLookup.class file inside the JAR file by looking for paths that contain the string\r\n“/log4j/core/lookup/JndiLookup.class”; if the JndiLookup.class file exists, threat and vulnerability\r\nmanagement determines if this JAR contains a Log4j file with the version defined in pom.properties \r\n3. searches for any vulnerable Log4j-core JAR files embedded within nested-JAR by searching for paths that\r\ncontain any of these strings:\r\nlib/log4j-core- \r\nWEB-INF/lib/log4j-core- \r\nApp-INF/lib/log4j-core- \r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 7 of 34\n\nFigure 1. Threat and Vulnerability recommendation “Attention required: Devices found with vulnerable Apache\r\nLog4j versions”\r\nIn the Microsoft 365 Defender portal, go to Vulnerability management \u003e Dashboard \u003e Threat awareness, then\r\nclick View vulnerability details to see the consolidated view of organizational exposure to the Log4j 2\r\nvulnerability (for example, CVE-2021-44228 dashboard, as shown in the following screenshots) on the device,\r\nsoftware, and vulnerable component level.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 8 of 34\n\nFigure 2. Threat and vulnerability management dedicated CVE-2021-44228 dashboard\r\nFigure 3. Threat and vulnerability management finds exposed paths\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 9 of 34\n\nFigure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and\r\nvulnerable files detected on disk\r\nNote: Scan results may take some time to reach full coverage, and the number of discovered devices may be low\r\nat first but will grow as the scan reaches more devices. A regularly updated list of vulnerable products can be\r\nviewed in the Microsoft 365 Defender portal with matching recommendations. We will continue to review and\r\nupdate this list as new information becomes available.\r\nThrough device discovery, unmanaged devices with products and services affected by the vulnerabilities are also\r\nsurfaced so they can be onboarded and secured.\r\nFigure 5. Finding vulnerable applications and devices via software inventory\r\nApplying mitigation directly in the Microsoft 365 Defender portal\r\nWe have released two new threat and vulnerability management capabilities that can significantly simplify the\r\nprocess of turning off JNDI lookup, a workaround that can prevent the exploitation of the Log4j vulnerabilities on\r\nmost devices, using an environment variable called LOG4J_FORMAT_MSG_NO_LOOKUPS. These new\r\ncapabilities provide security teams with the following:\r\n1. View the mitigation status for each affected device. This can help prioritize mitigation and/or patching of\r\ndevices based on their mitigation status.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 10 of 34\n\nTo use this feature, open the Exposed devices tab in the dedicated CVE-2021-44228 dashboard and review the\r\nMitigation status column. Note that it may take a few hours for the updated mitigation status of a device to be\r\nreflected.\r\nFigure 6. Viewing each device’s mitigation status\r\n2. Apply the mitigation (that is, turn off JNDI lookup) on devices directly from the portal. This feature is\r\ncurrently available for Windows devices only.\r\nThe mitigation will be applied directly via the Microsoft Defender for Endpoint client. To view the mitigation\r\noptions, click on the Mitigation options button in the Log4j dashboard:\r\nYou can choose to apply the mitigation to all exposed devices or select specific devices for which you would like\r\nto apply it. To complete the process and apply the mitigation on devices, click Create mitigation action.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 11 of 34\n\nFigure 7. Creating mitigation actions for exposed devices.\r\nIn cases where the mitigation needs to be reverted, follow these steps:\r\n1. Open an elevated PowerShell window\r\n2. Run the following command:\r\n[Environment]::SetEnvironmentVariable(\"LOG4J_FORMAT_MSG_NO_LOOKUPS\", $null, [EnvironmentVariableTarge\r\nThe change will take effect after the device restarts.\r\nMicrosoft 365 Defender advanced hunting\r\nAdvance hunting can also surface affected software. This query looks for possibly vulnerable applications using\r\nthe affected Log4j component. Triage the results to determine applications and programs that may need to be\r\npatched and updated.\r\nDeviceTvmSoftwareInventory\r\n| where SoftwareName contains \"log4j\"\r\n| project DeviceName, SoftwareName, SoftwareVersion\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 12 of 34\n\nFigure 8. Finding vulnerable software via advanced hunting\r\nMicrosoft Defender for Cloud\r\nMicrosoft Defender for servers\r\nOrganizations using Microsoft Defender for Cloud can use Inventory tools to begin investigations before there’s a\r\nCVE number. With Inventory tools, there are two ways to determine exposure across hybrid and multi-cloud\r\nresources:\r\nVulnerability assessment findings – Organizations who have enabled any of the vulnerability assessment\r\ntools (whether it’s Microsoft Defender for Endpoint’s threat and vulnerability management module,\r\nthe built-in Qualys scanner, or a bring your own license solution), they can search by CVE identifier:\r\nFigure 9. Searching vulnerability assessment findings by CVE identifier\r\nSoftware inventory – With the combined integration with Microsoft Defender for Endpoint and Microsoft\r\nDefender for servers, organizations can search for resources by installed applications and discover\r\nresources running the vulnerable software:\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 13 of 34\n\nFigure 10. Searching software inventory by installed applications\r\nNote that this doesn’t replace a search of your codebase. It’s possible that software with integrated Log4j libraries\r\nwon’t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more\r\ninformation about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this tech\r\ncommunity post.\r\nMicrosoft Defender for Containers\r\nMicrosoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently\r\ndiscovered in Log4j 2: CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. Images are automatically\r\nscanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled\r\nfrom an Azure container registry, and when container images are running on a Kubernetes cluster. Additional\r\ninformation on supported scan triggers and Kubernetes clusters can be found here. \r\nLog4j binaries are discovered whether they are deployed via a package manager, copied to the image as stand-alone binaries, or included within a JAR Archive (up to one level of nesting). \r\nWe will continue to follow up on any additional developments and will update our detection capabilities if any\r\nadditional vulnerabilities are reported.\r\nFinding affected images\r\nTo find vulnerable images across registries using the Azure portal, navigate to the Microsoft Defender for Cloud\r\nservice under Azure Portal. Open the Container Registry images should have vulnerability findings resolved\r\nrecommendation and search findings for the relevant CVEs. \r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 14 of 34\n\nFigure 11. Finding images with the CVE-2021-45046 vulnerability \r\nFind vulnerable running images on Azure portal [preview] \r\nTo view only vulnerable images that are currently running on a Kubernetes cluster using the Azure portal, navigate\r\nto the Microsoft Defender for Cloud service under Azure Portal. Open the Vulnerabilities in running container\r\nimages should be remediated (powered by Qualys) recommendation and search findings for the relevant\r\nCVEs: \r\nFigure 12. Finding running images with the CVE-2021-45046 vulnerability\r\nNote: This recommendation requires clusters to run Microsoft Defender security profile to provide visibility on\r\nrunning images.\r\nSearch Azure Resource Graph data \r\nAzure Resource Graph (ARG) provides instant access to resource information across cloud environments with\r\nrobust filtering, grouping, and sorting capabilities. It’s a quick and efficient way to query information across Azure\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 15 of 34\n\nsubscriptions programmatically or from within the Azure portal. ARG provides another way to query resource\r\ndata for resources found to be affected by the Log4j vulnerability.\r\nThe following query finds resources affected by the Log4j vulnerability across subscriptions. Use the additional\r\ndata field across all returned results to obtain details on vulnerable resources: \r\nsecurityresources\r\n| where type =~ \"microsoft.security/assessments/subassessments\"\r\n| extend assessmentKey=extract(@\"(?i)providers/Microsoft.Security/assessments/([^/]*)\", 1, id),\r\nsubAssessmentId=tostring(properties.id), parentResourceId= extract(\"\r\n(.+)/providers/Microsoft.Security\", 1, id)\r\n| extend Props = parse_json(properties)\r\n| extend additionalData = Props.additionalData\r\n| extend cves = additionalData.cve\r\n| where isnotempty(cves) and array_length(cves) \u003e 0\r\n| mv-expand cves\r\n| where tostring(cves) has \"CVE-2021-44228\" or tostring(cves) has \"CVE-2021-45046\" or tostring(cves)\r\nhas \"CVE-2021-45105\"\r\nMicrosoft Sentinel queries\r\nMicrosoft Sentinel customers can use the following detection query to look for devices that have applications with\r\nthe vulnerability:\r\nVulnerable machines related to Log4j CVE-2021-44228\r\nThis query uses the Microsoft Defender for Cloud nested recommendations data to find machines vulnerable to\r\nLog4j CVE-2021-44228.\r\nMicrosoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the\r\nvulnerability: https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-\r\n44228-Log4Shell\r\nRiskIQ EASM and Threat Intelligence\r\nRiskIQ has published a few threat intelligence articles on this CVE, with mitigation guidance and IOCs. The latest\r\none with links to previous articles can be found here. Both Community users and enterprise customers can search\r\nwithin the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For\r\nexample, it’s possible to surface all observed instances of Apache or Java, including specific versions. Leverage\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 16 of 34\n\nthis method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what\r\nmay impact you. \r\nFor a more automated method, registered users can view their attack surface to understand tailored findings\r\nassociated with their organization. Note, you must be registered with a corporate email and the automated attack\r\nsurface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act\r\nswiftly and resolutely using the Attack Surface Intelligence Dashboard Log4J Insights tab. \r\nDetecting and responding to exploitation attempts and other related attacker\r\nactivity\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender coordinates multiple security solutions that detect components of observed attacks taking\r\nadvantage of this vulnerability, from exploitation attempts to remote code execution and post-exploitation activity.\r\nFigure 13. Microsoft 365 Defender solutions protect against related threats\r\nCustomers can click Need help? in the Microsoft 365 Defender portal to open up a search widget. Customers can\r\nkey in “Log4j” to search for in-portal resource, check if their network is affected, and work on corresponding\r\nactionable items to mitigate them.\r\nMicrosoft Defender Antivirus\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and\r\ntechniques. Cloud-based machine learning protections block the majority of new and unknown variants. Microsoft\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 17 of 34\n\nDefender Antivirus detects components and behaviors related to this threat as the following detection names:\r\nOn Windows:\r\nTrojan:Win32/Capfetox.AA– detects attempted exploitation on the attacker machine\r\nHackTool:Win32/Capfetox.A!dha – detects attempted exploitation on the attacker machine\r\nVirTool:Win64/CobaltSrike.A, TrojanDropper:PowerShell/Cobacis.A – detects Cobalt Strike Beacon\r\nloaders\r\nTrojanDownloader:Win32/CoinMiner – detects post-exploitation coin miner\r\nTrojan:Win32/WebToos.A – detects post-exploitation PowerShell\r\nRansom:MSIL/Khonsari.A – detects a strain of the Khonsari ransomware family observed being\r\ndistributed post-exploitation\r\nTrojan:Win64/DisguisedXMRigMiner – detects post-exploitation cryptocurrency miner\r\nTrojanDownloader:Java/Agent.S – detects suspicious class files used in post-exploitation\r\nTrojanDownloader:PowerShell/NitSky.A – detects attempts to download CobaltStrike Beacon payload\r\nOn Linux:\r\nTrojan:Linux/SuspectJavaExploit.A, Trojan:Linux/SuspectJavaExploit.B,\r\nTrojan:Linux/SuspectJavaExploit.C – blocks Java processes downloading and executing payload through\r\noutput redirection\r\nTrojan:Linux/BashMiner.A – detects post-exploitation cryptocurrency miner\r\nTrojanDownloader:Linux/CoinMiner – detects post-exploitation cryptocurrency miner\r\nTrojanDownloader:Linux/Tusnami – detects post-exploitation Backdoor Tsunami downloader\r\nBackdoor:Linux/Tusnami.C – detects post-exploitation Tsunami backdoor\r\nBackdoor:Linux/Setag.C – detects post-exploitation Gates backdoor\r\nExploit:Linux/CVE-2021-44228.A, Exploit:Linux/CVE-2021-44228.B – detects exploitation\r\nTrojanDownloader:Linux/Capfetox.A, TrojanDownloader:Linux/Capfetox.B\r\nTrojanDownloader:Linux/ShAgnt!MSR, TrojanDownloader:Linux/ShAgnt.A!MTB\r\nTrojan:Linux/Kinsing.L – detects post-exploitation cryptocurrency Kinsing miner\r\nTrojan:Linux/Mirai.TS!MTB – detects post-exploitation Mirai malware capable of performing DDoS\r\nBackdoor:Linux/Dakkatoni.az!MTB – detects post-exploitation Dakkatoni backdoor trojan capable of\r\ndownloading more payloads\r\nTrojan:Linux/JavaExploitRevShell.A – detects reverse shell attack post-exploitation\r\nTrojan:Linux/BashMiner.A, Trojan:Linux/BashMiner.B – detects post-exploitation cryptocurrency miner\r\nMicrosoft Defender for Endpoint\r\nUsers of Microsoft Defender for Endpoint can turn on the following attack surface reduction rule to block or audit\r\nsome observed activity associated with this threat.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nDue to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the\r\nfact that applying mitigations holistically across large environments will take time, we encourage defenders to\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 18 of 34\n\nlook for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such\r\nas coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.\r\nAlerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j\r\nvulnerability on your network and should be immediately investigated and remediated. These alerts are supported\r\non both Windows and Linux platforms: \r\nLog4j exploitation detected – detects known behaviors that attackers perform following successful\r\nexploitation of the CVE-2021-44228 vulnerability\r\nLog4j exploitation artifacts detected (previously titled Possible exploitation of CVE-2021-44228) –\r\ndetects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation\r\nLog4j exploitation network artifacts detected (previously titled Network connection seen in CVE-2021-\r\n44228 exploitation) – detects network traffic connecting traffic connecting to an address associated with\r\nCVE-2021-44228 scanning or exploitation activity \r\nThe following alerts may indicate exploitation attempts or testing/scanning activity. Microsoft advises customers\r\nto investigate with caution, as these alerts don’t necessarily indicate successful exploitation:\r\nPossible target of Log4j exploitation – detects a possible attempt to exploit the remote code execution\r\nvulnerability in the Log4j component of an Apache server in communication received by this device\r\nPossible target of Log4j vulnerability scanning – detects a possible attempt to scan for the remote code\r\nexecution vulnerability in a Log4j component of an Apache server in communication received by this\r\ndevice\r\nPossible source of Log4j exploitation – detects a possible attempt to exploit the remote code execution\r\nvulnerability in the Log4j component of an Apache server in communication initiated from this device  \r\nPossible Log4j exploitation – detects multiple behaviors, including suspicious command launch post-exploitation\r\nPossible Log4j exploitation (CVE-2021-44228) – inactive, initially covered several of the above, now\r\nreplaced with more specific titles\r\nThe following alerts detect activities that have been observed in attacks that utilize at least one of the Log4j\r\nvulnerabilities. However, these alerts can also indicate activity that is not related to the vulnerability. We are\r\nlisting them here, as it is highly recommended that they are triaged and remediated immediately given their\r\nseverity and the potential that they could be related to Log4j exploitation:\r\nSuspicious remote PowerShell execution \r\nDownload of file associated with digital currency mining \r\nProcess associated with digital currency mining \r\nCobalt Strike command and control detected \r\nSuspicious network traffic connection to C2 Server \r\nOngoing hands-on-keyboard attacker activity detected (Cobalt Strike) \r\nSome of the alerts mentioned above utilize the enhanced network inspection capabilities in Microsoft Defender for\r\nEndpoint. These alerts correlate several network and endpoint signals into high-confidence detection of successful\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 19 of 34\n\nexploitation, as well as providing detailed evidence artifacts valuable for triage and investigation of detected\r\nactivities.\r\nFigure 14. Example detection leveraging network inspection provides details about the Java class returned\r\nfollowing successful exploitation\r\nMicrosoft Defender for Cloud Apps (previously Microsoft Cloud App Security)\r\nMicrosoft 365 Defender detects exploitation patterns in different data sources, including cloud application traffic\r\nreported by Microsoft Defender for Cloud Apps. The following alert surfaces exploitation attempts via cloud\r\napplications that use vulnerable Log4j components:\r\nLog4j exploitation attempt via cloud application (previously titled Exploitation attempt against Log4j\r\n(CVE-2021-44228))\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 20 of 34\n\nFigure 15. Microsoft 365 Defender alert “Exploitation attempt against Log4j (CVE-2021-44228)”\r\nMicrosoft Defender for Office 365\r\nTo add a layer of protection against exploits that may be delivered via email, Microsoft Defender for Office 365\r\nflags suspicious emails (e.g., emails with the “jndi” string in email headers or the sender email address field),\r\nwhich are moved to the Junk folder.\r\nWe also added the following new alert, which detects attempts to exploit CVE-2021-44228 through email headers:\r\nLog4j exploitation attempt via email (previously titled Log4j Exploitation Attempt – Email Headers (CVE-2021-44228))\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 21 of 34\n\nFigure 16. Sample alert on malicious sender display name found in email correspondence\r\nThis detection looks for exploitation attempts in email headers, such as the sender display name, sender, and\r\nrecipient addresses. The alert covers known obfuscation attempts that have been observed in the wild. If this alert\r\nis surfaced, customers are recommended to evaluate the source address, email subject, and file attachments to get\r\nmore context regarding the authenticity of the email.\r\nFigure 17. Sample email with malicious sender display name\r\nIn addition, this email event as can be surfaced via advanced hunting:\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 22 of 34\n\nFigure 18. Sample email event surfaced via advanced hunting\r\nMicrosoft 365 Defender advanced hunting queries\r\nTo locate possible exploitation activity, run the following queries:\r\nPossible malicious indicators in cloud application events\r\nThis query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation\r\nstring using vectors such as User-Agent, Application or Account name. The hits returned from this query are most\r\nlikely unsuccessful attempts, however the results can be useful to identity attackers’ details such as IP address,\r\nPayload string, Download URL, etc.\r\nCloudAppEvents\r\n| where Timestamp \u003e datetime(\"2021-12-09\")\r\n| where UserAgent contains \"jndi:\"\r\nor AccountDisplayName contains \"jndi:\"\r\nor Application contains \"jndi:\"\r\nor AdditionalFields contains \"jndi:\"\r\n| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent,\r\nAdditionalFields\r\nAlerts related to Log4j vulnerability\r\nThis query looks for alert activity pertaining to the Log4j vulnerability.\r\nAlertInfo\r\n| where Title in~('Suspicious script launched',\r\n'Exploitation attempt against Log4j (CVE-2021-44228)',\r\n'Suspicious process executed by a network service',\r\n'Possible target of Log4j exploitation (CVE-2021-44228)',\r\n'Possible target of Log4j exploitation',\r\n'Possible Log4j exploitation',\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 23 of 34\n\n'Network connection seen in CVE-2021-44228 exploitation',\r\n'Log4j exploitation detected',\r\n'Possible exploitation of CVE-2021-44228',\r\n'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\r\n'Possible source of Log4j exploitation',\r\n'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against\r\nLog4j\r\n'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\r\n)\r\nDevices with Log4j vulnerability alerts and additional other alert-related context\r\nThis query surfaces devices with Log4j-related alerts and adds additional context from other alerts on the device.  \r\n// Get any devices with Log4J related Alert Activity\r\nlet DevicesLog4JAlerts = AlertInfo\r\n| where Title in~('Suspicious script launched',\r\n'Exploitation attempt against Log4j (CVE-2021-44228)',\r\n'Suspicious process executed by a network service',\r\n'Possible target of Log4j exploitation (CVE-2021-44228)',\r\n'Possible target of Log4j exploitation',\r\n'Possible Log4j exploitation',\r\n'Network connection seen in CVE-2021-44228 exploitation',\r\n'Log4j exploitation detected',\r\n'Possible exploitation of CVE-2021-44228',\r\n'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\r\n'Possible source of Log4j exploitation'\r\n'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against\r\nLog4j\r\n'Log4j exploitation attempt via email' // Previouskly titled Log4j Exploitation Attempt\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 24 of 34\n\n)\r\n// Join in evidence information\r\n| join AlertEvidence on AlertId\r\n| where DeviceId != \"\"\r\n| summarize by DeviceId, Title;\r\n// Get additional alert activity for each device\r\nAlertEvidence\r\n| where DeviceId in(DevicesLog4JAlerts)\r\n// Add additional info\r\n| join kind=leftouter AlertInfo on AlertId\r\n| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp,\r\n1d)\r\nSuspected exploitation of Log4j vulnerability\r\nThis query looks for exploitation of the vulnerability using known parameters in the malicious string. It surfaces\r\nexploitation but may surface legitimate behavior in some environments.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http',\r\n'rmi', 'dns', 'iiop')\r\n//Removing FPs\r\n| where not(ProcessCommandLine has_any('stackstorm', 'homebrew'))\r\nRegex to identify malicious exploit string\r\nThis query looks for the malicious string needed to exploit this vulnerability.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine matches regex @'(?i)${jndi:(ldap|http|https|ldaps|dns|rmi|iiop)://(${([a-z]){1,20}:([a-z]){1,20}})?(([a-zA-Z0-9]|-){2,100})?(.([a-zA-Z0-9]|-){2,100})?.([a-zA-Z0-9]|-){2,100}.\r\n([a-z0-9]){2,20}(/).*}'\r\nor InitiatingProcessCommandLine matches regex @'(?i)${jndi:\r\n(ldap|http|https|ldaps|dns|rmi|iiop)://(${([a-z]){1,20}:([a-z]){1,20}})?(([a-zA-Z0-9]|-){2,100})?(.\r\n([a-zA-Z0-9]|-){2,100})?.([a-zA-Z0-9]|-){2,100}.([a-z0-9]){2,20}(/).*}'\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 25 of 34\n\nSuspicious process event creation from VMWare Horizon TomcatService\r\nThis query identifies anomalous child processes from the ws_TomcatService.exe process associated with the\r\nexploitation of the Log4j vulnerability in VMWare Horizon installations. These events warrant further\r\ninvestigation to determine if they are in fact related to a vulnerable Log4j application.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName has \"ws_TomcatService.exe\"\r\n| where FileName != \"repadmin.exe\"\r\nSuspicious JScript staging comment\r\nThis query identifies a unique string present in malicious PowerShell commands attributed to threat actors\r\nexploiting vulnerable Log4j applications. These events warrant further investigation to determine if they are in\r\nfact related to a vulnerable Log4j application.\r\nDeviceProcessEvents\r\n| where FileName has \"powershell.exe\"\r\n| where ProcessCommandLine has \"VMBlastSG\"\r\nSuspicious PowerShell curl flags\r\nThis query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed\r\ncommand back to the command-and-control infrastructure. If the event is a true positive, the contents of the\r\n“Body” argument are Base64-encoded results from an attacker-issued comment. These events warrant further\r\ninvestigation to determine if they are in fact related to a vulnerable Log4j application.\r\nDeviceProcessEvents\r\n| where FileName has \"powershell.exe\"\r\n| where ProcessCommandLine has_all(\"-met\", \"POST\", \"-Body\")\r\nMicrosoft Defender for Cloud\r\nMicrosoft Defender for Cloud’s threat detection capabilities have been expanded to surface exploitation of CVE-2021-44228 in several relevant security alerts:\r\nOn Windows:\r\nDetected obfuscated command line\r\nSuspicious use of PowerShell detected\r\nOn Linux:\r\nSuspicious file download\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 26 of 34\n\nPossible Cryptocoinminer download detected\r\nProcess associated with digital currency mining detected\r\nPotential crypto coin miner started\r\nA history file has been cleared\r\nSuspicious Shell Script Detected\r\nSuspicious domain name reference\r\nDigital currency mining related behavior detected\r\nBehavior similar to common Linux bots detected\r\nMicrosoft Defender for IoT\r\nMicrosoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2\r\nexploit attempts on the network (example below).  \r\nFigure 19. Microsoft Defender for IoT alert \r\nThe package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download\r\nfile (MD5: 4fbc673742b9ca51a9721c682f404c41).  \r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 27 of 34\n\nFigure 20. Microsoft Defender for IoT sensor threat intelligence update\r\nMicrosoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon\r\nrelease, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT.\r\nWorking with automatic updates reduces operational effort and ensures greater security. Enable automatic\r\nupdating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic\r\nThreat Intelligence Updates turned on. For more information about threat intelligence packages in Defender for\r\nIoT, please refer to the documentation.\r\nMicrosoft Sentinel\r\nA new Microsoft Sentinel solution has been added to the Content Hub that provides a central place to install\r\nMicrosoft Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE-2021-44228 vulnerability.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 28 of 34\n\nFigure 21. Log4j Vulnerability Detection solution in Microsoft Sentinel\r\nTo deploy this solution, in the Microsoft Sentinel portal, select Content hub (Preview) under Content\r\nManagement, then search for Log4j in the search bar. Select the Log4j vulnerability detection solution, and\r\nclick Install. Learn how to centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 29 of 34\n\nFigure 22. Microsoft Sentinel Analytics showing detected Log4j vulnerability\r\nNote: We recommend that you check the solution for updates periodically, as new collateral may be added to this\r\nsolution given the rapidly evolving situation. This can be verified on the main Content hub page.\r\nMicrosoft Sentinel queries\r\nMicrosoft Sentinel customers can use the following detection queries to look for this activity:\r\nPossible exploitation of Apache Log4j component detected\r\nThis hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j\r\ncomponent of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server,\r\nwhich are then logged and executed by the Log4j component.\r\nCryptocurrency miners EXECVE\r\nThis query hunts through EXECVE syslog data generated by AUOMS to find instances of cryptocurrency miners\r\nbeing downloaded. It returns a table of suspicious command lines.\r\nAzure WAF Log4j CVE-2021-44228 hunting\r\nThis hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.\r\nLog4j vulnerability exploit aka Log4Shell IP IOC\r\nThis hunting query identifies a match across various data feeds for IP IOCs related to the Log4j exploit described\r\nin CVE-2021-44228.\r\nSuspicious shell script detected\r\nThis hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and\r\nexecuting malicious files. This technique is often used by attackers and was recently used to exploit the\r\nvulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the\r\nnetwork.\r\nAzure WAF matching for CVE-2021-44228 Log4j vulnerability\r\nThis query alerts on a positive pattern match by Azure WAF for CVE-2021-44228 Log4j exploitation attempt. If\r\npossible, it then decodes the malicious command for further analysis.\r\nSuspicious Base64 download activity detected\r\nThis hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode\r\npayloads for downloading and executing malicious files. This technique is often used by attackers and was\r\nrecently used to the Log4j vulnerability in order to evade detection and stay persistent in the network.\r\nLinux security-related process termination activity detected\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 30 of 34\n\nThis query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate\r\nsuch processes post-compromise as seen recently to exploit the CVE-2021-44228 vulnerability.\r\nSuspicious manipulation of firewall detected via Syslog data\r\nThis query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses. Attackers often\r\nperform such operations as seen recently to exploit the CVE-2021-44228 vulnerability for C2 communications or\r\nexfiltration.\r\nUser agent search for Log4j exploitation attempt\r\nThis query uses various log sources having user agent data to look for CVE-2021-44228 exploitation attempt\r\nbased on user agent pattern.\r\nNetwork connections to LDAP port for CVE-2021-44228 vulnerability\r\nThis hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-\r\n44228.\r\nLinux toolkit detected\r\nThis query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation\r\nattempts against a known vulnerability\r\nContainer miner activity\r\nThis query uses syslog data to alert on possible artifacts associated with containers running images related to\r\ndigital cryptocurrency mining.\r\nNetwork connection to new external LDAP server\r\nThis query looks for outbound network connections using the LDAP protocol to external IP addresses, where that\r\nIP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This\r\ncould indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a\r\nmalicious LDAP server.\r\nAzure Firewall Premium \r\nCustomers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228\r\nvulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides\r\nIDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are\r\ncontinuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP,\r\nHTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively\r\nmitigated by Azure Firewall Premium.\r\nRecommendation: Customers are recommended to configure Azure Firewall Premium with both IDPS Alert \u0026\r\nDeny mode and TLS inspection enabled for proactive protection against CVE-2021-44228 exploit.  \r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 31 of 34\n\nFigure 23. Azure Firewall Premium portal\r\nCustomers using Azure Firewall Standard can migrate to Premium by following these directions. Customers new\r\nto Azure Firewall premium can learn more about Firewall Premium.\r\nAzure Web Application Firewall (WAF)\r\nIn response to this threat, Azure Web Application Firewall (WAF) has updated Default Rule Set (DRS) versions\r\n1.0/1.1 available for Azure Front Door global deployments, and OWASP ModSecurity Core Rule Set (CRS)\r\nversion 3.0/3.1 available for Azure Application Gateway V2 regional deployments.\r\nTo help detect and mitigate the Log2Shell vulnerability by inspecting requests’ headers, URI, and body, we have\r\nreleased the following:\r\nFor Azure Front Door deployments, we have updated the rule 944240 “Remote Command Execution”\r\nunder Managed Rules\r\nFor Azure Application Gateway V2 regional deployments, we have introduced a new rule Known-CVEs/800100 in the rule group Known-CVEs under Managed Rules\r\nThese rules are already enabled by default in block mode for all existing WAF Default Rule Set (DRS) 1.0/1.1 and\r\nOWASP ModSecurity Core Rule Set (CRS) 3.0/3.1 configurations. Customers using WAF Managed Rules would\r\nhave already received enhanced protection for Log4j 2 vulnerabilities (CVE-2021-44228 and CVE-2021-45046);\r\nno additional action is needed.\r\nRecommendation: Customers are recommended to enable WAF policy with Default Rule Set 1.0/1.1 on their\r\nFront Door deployments, or with OWASP ModSecurity Core Rule Set (CRS) versions 3.0/3.1 on Application\r\nGateway V2 to immediately enable protection from this threat, if not already enabled. For customers who have\r\nalready enabled DRS 1.0/1.1 or CRS 3.0/3.1, no action is needed. We will continue to monitor threat patterns and\r\nmodify the above rule in response to emerging attack patterns as required.\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 32 of 34\n\nFigure 24. Remote Code Execution rule for Default Rule Set (DRS) versions 1.0/1.1 \r\nFigure 25. Remote Code Execution rule for OWASP ModSecurity Core Rule Set (CRS) version 3.1\r\nNote: The above protection is also available on Default Rule Set (DRS) 2.0 preview version and OWASP\r\nModSecurity Core Rule Set (CRS) 3.2 preview version, which are available on Azure Front Door Premium and\r\nAzure Application Gateway V2 respectively. Customers using Azure CDN Standard from Microsoft can also turn\r\non the above protection by enabling DRS 1.0.\r\nMore information about Managed Rules and Default Rule Set (DRS) on Azure Web Application Firewall can be\r\nfound here. More information about Managed Rules and OWASP ModSecurity Core Rule Set (CRS) on Azure\r\nWeb Application Firewall can be found here.\r\nIndicators of compromise (IOCs)\r\nMicrosoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update\r\nthem with new indicators as they are discovered: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 33 of 34\n\nMicrosoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and\r\ndetections/mitigations become available.\r\nRevision history\r\n[01/21/2022] – Threat and vulnerability management can now discover vulnerable Log4j libraries, including\r\nLog4j files and other files containing Log4j, packaged into Uber-JAR files.\r\n[01/19/2022] New information about an unrelated vulnerability we discovered while investigating Log4j attacks\r\n[01/11/2022] New threat and vulnerability management capabilities to apply mitigation directly from the portal,\r\nas well as new advanced hunting queries\r\n[01/10/2022] Added new information about a China-based ransomware operator targeting internet-facing systems\r\nand deploying the NightSky ransomware\r\n[01/07/2022] Added a new rule group in Azure Web Application Firewall (WAF)\r\n[12/27/2021] New capabilities in threat and vulnerability management including a new advanced hunting schema\r\nand support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender\r\nfor Containers solution.\r\n[12/22/2021] Added new protections across Microsoft 365 Defender, including Microsoft Defender for Office 365.\r\n[12/21/2021] Added a note on testing services and assumed benign activity and additional guidance to use the\r\nNeed help? button in the Microsoft 365 Defender portal.\r\n[12/17/2021] New updates to observed activity, including more information about limited ransomware attacks and\r\nadditional payloads; additional updates to protections from Microsoft 365 Defender and Azure Web Application\r\nFirewall (WAF), and new Microsoft Sentinel queries.\r\n[12/16/2021] New Microsoft Sentinel solution and additional Microsoft Defender for Endpoint detections.\r\n[12/15/2021] Details about ransomware attacks on non-Microsoft hosted Minecraft servers, as well as updates to\r\nproduct guidance, including threat and vulnerability management.\r\n[12/14/2021] New insights about multiple threat actors taking advantage of this vulnerability, including nation-state actors and access brokers linked to ransomware.\r\nSource: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-expl\r\noitation\r\nhttps://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\r\nPage 34 of 34", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation" ], "report_names": [ "guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434082, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/495f96932966ef043a6b8ef54731ac6eec7bd692.pdf", "text": "https://archive.orkl.eu/495f96932966ef043a6b8ef54731ac6eec7bd692.txt", "img": "https://archive.orkl.eu/495f96932966ef043a6b8ef54731ac6eec7bd692.jpg" } }