Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon

Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.

Sigma rule (View on GitHub)

 1title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
 2id: 3eb91f0a-0060-424a-a676-59f5fdd75610
 3status: test
 4description: |
 5        Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
 6references:
 7    - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
 8    - https://twitter.com/TheDFIRReport/status/1482078434327244805
 9    - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
10author: '@kostastsale'
11date: 2022-01-14
12tags:
13    - attack.initial-access
14    - attack.t1190
15    - cve.2021-44228
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        ParentImage|endswith: '\ws_TomcatService.exe'
23    filter_main_shells:
24        Image|endswith:
25            - '\cmd.exe'
26            - '\powershell.exe'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Unlikely
30level: high

References

Related rules

to-top