Exploitation of Vulnerable VMware Horizon to LOG4J

 1title: Exploitation of Vulnerable VMware Horizon to LOG4J 
 2description: Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j.
 3status: experimental
 4date: 2022/01/14
 5author: \@kostastsale
 6references:
 7    - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
 8    - https://twitter.com/TheDFIRReport/status/1482078434327244805
 9    - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection1:
15        ParentImage|endswith:
16            - '\ws_TomcatService.exe'
17    filter:
18        Image|endswith:
19            - '\cmd.exe'
20            - '\powershell.exe'
21    condition: selection1 and filter
22falsepositives:
23    - Unlikely
24level: high
25tags:
26   - attack.initial_access
27   - attack.t1190```

References

• VMware Horizon under attack as China-based ransomware group targets Log4j vulnerability

  

  Microsoft says cybercrime group is attempting to deploy NightSky ransomware

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

  

  TLDR Go and run this on the connection servers: https://github.com/mr-r3b00t/CVE-2021-44228 It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you ...

  
  Read More