Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
Sigma rule (View on GitHub)
1title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
2id: 3eb91f0a-0060-424a-a676-59f5fdd75610
3status: test
4description: |
5 Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
6references:
7 - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
8 - https://twitter.com/TheDFIRReport/status/1482078434327244805
9 - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
10author: '@kostastsale'
11date: 2022-01-14
12tags:
13 - attack.initial-access
14 - attack.t1190
15 - cve.2021-44228
16 - detection.emerging-threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 ParentImage|endswith: '\ws_TomcatService.exe'
23 filter_main_shells:
24 Image|endswith:
25 - '\cmd.exe'
26 - '\powershell.exe'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unlikely
30level: high
References
-
-
TLDR Go and run this on the connection servers: https://github.com/mr-r3b00t/CVE-2021-44228 It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you ...
Read More
Related rules
- Log4j RCE CVE-2021-44228 in Fields
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
- Potential Information Disclosure CVE-2023-43261 Exploitation - Web
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity