Log4j vulnerability
This topic describes how EPM addresses exploitation of the Log4j vulnerability by attackers.
Overview
Attackers can exploit the Log4j vulnerability to access your enterprise environment. It’s important to emphasize that EPM does not automatically block an attack that utilizes the Log4j vulnerability, but helps identify and block suspicious activities that might be caused due to exploitation of this vulnerability.
One of the methods we use to detect exploitation of Log4j vulnerabilities is to detect instances of java.exe that are used as a parent process for cmd.exe or powershell.exe, as it is very unlikely that java.exe initiates these processes.
You can configure an advanced EPM policy to detect or block cmd.exe or powershell.exe from being initiated when it is executed by java.exe. For monitoring purposes, we recommend that you set the policy to Detect mode for a short period of time (days), and then change it to Restrict mode.
Protect your environment
The following diagram shows how to leverage EPM to protect your environment against the Log4j vulnerability.
Activate policy audits in your Set
Make sure Policy Audit is activated in your Set:
-
In the left panel of the EPM management console, click Advanced > Agent Configuration.
-
In the General configuration line, click the More actions (...) button, and select Edit parameters. You can now see a full list of the agent configuration settings and their values, the platforms where they can be applied, and whether or not the current values have been customized.
-
In the Data Collection parameters, set Collect policy audit data to On.
-
Click Save to save the configuration change.
Create a new application group
Create an application group to manage Log4j vulnerabilities.
-
In the EPM management console, go to Polices > Application Groups > Create custom group, and specify the following:
Field
Description
Name
A unique name for the application group. Type java application group.
Platform
The policy platform. Select Windows.
-
Click Continue to display the Application Groups form.
-
Under Scope, click Add definition, and set Definition type to Executable.
-
Add the following properties:
Property
Setting
Value
Filename
is exactly
java.exe
Publisher's signature
is exactly
Oracle America, Inc.
- Click Done to save the application definitions, then click Create to create the application group.
Create an advanced policy
Create an advanced policy to detect Log4j activities.
-
In the EPM management console, click Policies.
-
In the Policies drop-down list, make sure that Application policies is selected (default), then click Create advanced policy, and specify the following:
Field
Description
Name
A unique name for the policy. For example, Monitor java.exe execution or Prevent java.exe execution.
Platform
The policy platform. Select Windows.
Action
The action that determines how the policy will handle cases where java.exe executes cmd.exe or powershell.exe processes Select one of the following:
-
Allow to monitor all java.exe processes.
-
Block to prevent java.exe processes from running.
-
-
Click Continue to display the Policy form.
-
Under Scope, click Add definition and make sure the Definition type is set to Executable (default).
-
In the Properties section, create the following properties:
Property
Setting
Values
Parameters
is exactly
Type powershell.exe.
Parent process
is in application group
Click Select and select the application group you created in Create a new application group, then select direct parent only.
-
Under Options, select Include child processes, then click Done.
This is only relevant in the policy with the Allow action.
-
Click Add definition again and make sure the Definition type is set to Executable (default).
-
In the Properties section, create the following properties:
Property
Setting
Values
Parameters
is exactly
Type cmd.exe.
Parent process
is in application group
Click Select and select the application group you created in Create a new application group, then select direct parent only.
-
Under Options, select Include child processes.
This is only relevant in the policy with the Allow action.
-
Click Done. You can see that both application definitions are listed under the policy scope.
-
Under Targets, select the computers, AD computer groups, and OS users that this policy will apply to. For details, see Create a policy.
-
Under Audit, set Audit policy enforcement to On.
-
Click Create.
Check the audits
Check the policy audits to see if EPM detected powershell.exe or cmd.exe events that were executed by java.exe.
-
In the EPM management console, click Policy Audit.
-
In the Audit event filter, type powershell.exe then click Apply to see the events that EPM detected.
-
In the Audit event filter, type cmd.exe then click Apply to see the events that EPM detected.