Date: 09/24/2024
Severity: Medium
Summary
Identifies potential initial exploitation attempts targeting VMware Horizon deployments that are operating on vulnerable versions of Log4j.
Indicators of Compromise (IOC) List
Image | '\cmd.exe' '\powershell.exe' |
ParentImage | '\ws_TomcatService.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\cmd.exe","\powershell.exe")) AND parentimage = "\ws_TomcatService.exe") |
Detection Query 2 | (((technologygroup = "EDR") AND image IN ("\cmd.exe","\powershell.exe")) AND parentimage = "\ws_TomcatService.exe") |
Detection Query 3 | ((resourcename in ("Windows Security" ) AND eventtype = "4688") AND processname IN ("\cmd.exe","\powershell.exe")) AND parentprocessname = "\ws_TomcatService.exe" |
Detection Query 4 | ((technologygroup = "EDR") AND proc essname IN ("\cmd.exe","\powershell.exe")) AND parentprocessname = "\ws_TomcatService.exe" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml