IBM Security QRadar

 View Only
  • 1.  Detection of Log4Shell (CVE-2021-44228) using QRadar

    Community Leadership
    Posted Mon December 13, 2021 02:45 PM

    Updated blog by CTO Adam Frank: Detection of Log4Shell (CVE-2021-44228) using QRadar 



    ------------------------------
    Wendy Batten
    Community Manager
    IBM Security
    Cambridge MA
    wjbatten@us.ibm.com
    ------------------------------



  • 2.  RE: Detection of Log4Shell (CVE-2021-44228) using QRadar

    Posted Tue December 14, 2021 08:55 AM

    Hi,

    I believe there is a mistake in the examples of the building blocks in the blog post (the pictures).

    You recommended to match the field "Username" to the regex in both examples, while I believe the correct field should be "User Agent" according to the latest exploit POC.

    Please let me know if this is correct.

    Thanks in advance,

    Ariel





    ------------------------------
    Ariel Roitgarts
    ------------------------------



  • 3.  RE: Detection of Log4Shell (CVE-2021-44228) using QRadar

    Posted Tue December 14, 2021 09:40 AM
    Good Eye Ariel, This is because the systems I am using to generate the screenshots do not have all the custom properties available on it. I will get them added and update the screenshots to ensure consistancy.

    Thanks,
    Adam.

    ------------------------------
    Adam Frank
    CTO -- IBM Security Intelligence
    IBM
    ------------------------------



  • 4.  RE: Detection of Log4Shell (CVE-2021-44228) using QRadar

    Posted Wed December 15, 2021 06:03 AM
    We have seen the exploit in virtually every logged string from servers.  I assume it is due to the way it is being exploited.  Hostname, URL, referrer, agent and query are all being seen with the exploit.

    I hated to do it, but I made a BB with a payload contains for jndi:, then added some logic for if firewall allowed then reset or dropped the connection.

    Hey Adam!

    ------------------------------
    Frank Eargle
    ------------------------------