Exploitation of Vulnerable VMware Horizon to LOG4J

 1title: Exploitation of Vulnerable VMware Horizon to LOG4J 
 2id: 3eb91f0a-0060-424a-a676-59f5fdd75610
 3description: Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j.
 4status: experimental
 5date: 2022/01/14
 6author: \@kostastsale
 7references:
 8    - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
 9    - https://twitter.com/TheDFIRReport/status/1482078434327244805
10    - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection1:
16        ParentImage|endswith:
17            - '\ws_TomcatService.exe'
18    filter:
19        Image|endswith:
20            - '\cmd.exe'
21            - '\powershell.exe'
22    condition: selection1 and filter
23falsepositives:
24    - Unlikely
25level: high
26tags:
27   - attack.initial_access
28   - attack.t1190```

References

• VMware Horizon under attack as China-based ransomware group targets Log4j vulnerability

  

  Microsoft says cybercrime group is attempting to deploy NightSky ransomware

  
  Read More

• x.com

  
  Read More

• Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

  

  TLDR Go and run this on the connection servers: https://github.com/mr-r3b00t/CVE-2021-44228 It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you ...

  
  Read More

Related rules

• Exchange Webshell creation
• Multiple Suspicious Resp Codes Caused by Single Client
• OMIGOD SCX RunAsProvider ExecuteScript
• WScript Spawned from a Browser Making External Network Connections
• Malicious QakBot Dropped File Creation (Event 4663)