Exploitation of Vulnerable VMware Horizon to LOG4J
Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j.
Sigma rule (View on GitHub)
1title: Exploitation of Vulnerable VMware Horizon to LOG4J
2description: Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j.
3status: experimental
4date: 2022/01/14
5author: \@kostastsale
6references:
7 - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
8 - https://twitter.com/TheDFIRReport/status/1482078434327244805
9 - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 ParentImage|endswith:
16 - '\ws_TomcatService.exe'
17 filter:
18 Image|endswith:
19 - '\cmd.exe'
20 - '\powershell.exe'
21 condition: selection1 and filter
22falsepositives:
23 - Unlikely
24level: high
25tags:
26 - attack.initial_access
27 - attack.t1190```