Log4j vulnerability

This topic describes how EPM addresses exploitation of the Log4j vulnerability by attackers.

Overview

Attackers can exploit the Log4j vulnerability to access your enterprise environment. It’s important to emphasize that EPM does not automatically block an attack that utilizes the Log4j vulnerability, but helps identify and block suspicious activities that might be caused due to exploitation of this vulnerability.

One of the methods we use to detect exploitation of Log4j vulnerabilities is to detect instances of java.exe that are used as a parent process for cmd.exe or powershell.exe, as it is very unlikely that java.exe initiates these processes.

You can configure an advanced EPM policy to detect or block cmd.exe or powershell.exe from being initiated when it is executed by java.exe. For monitoring purposes, we recommend that you set the policy to Detect mode for a short period of time (days), and then change it to Restrict mode.

Protect your environment

The following diagram shows how to leverage EPM to protect your environment against the Log4j vulnerability.

Activate policy audits in your Set

Make sure Policy Audit is activated in your Set:

  1. In the left panel of the EPM management console, click Advanced > Agent Configuration.

  2. In the General configuration line, click the More actions (...) button, and select Edit parameters. You can now see a full list of the agent configuration settings and their values, the platforms where they can be applied, and whether or not the current values have been customized.

  3. In the Data Collection parameters, set Collect policy audit data to On.

  4. Click Save to save the configuration change.

Create a new application group

Create an application group to manage Log4j vulnerabilities.

  1. In the EPM management console, go to Polices > Application Groups > Create custom group, and specify the following:

    Field

    Description

    Name

    A unique name for the application group. Type java application group.

    Platform

    The policy platform. Select Windows.

  2. Click Continue to display the Application Groups form.

  3. Under Scope, click Add definition, and set Definition type to Executable.

  4. Add the following properties:

    Property

    Setting

    Value

    Filename

    is exactly

    java.exe

    Publisher's signature

    is exactly

    Oracle America, Inc.

  5. Click Done to save the application definitions, then click Create to create the application group.

Create an advanced policy

Create an advanced policy to detect Log4j activities.

  1. In the EPM management console, click Policies.

  2. In the Policies drop-down list, make sure that Application policies is selected (default), then click Create advanced policy, and specify the following:

    Field

    Description

    Name

    A unique name for the policy. For example, Monitor java.exe execution or Prevent java.exe execution.

    Platform

    The policy platform. Select Windows.

    Action

    The action that determines how the policy will handle cases where java.exe executes cmd.exe or powershell.exe processes Select one of the following:

    • Allow to monitor all java.exe processes.

    • Block to prevent java.exe processes from running.

  3. Click Continue to display the Policy form.

  4. Under Scope, click Add definition and make sure the Definition type is set to Executable (default).

  5. In the Properties section, create the following properties:

    Property

    Setting

    Values

    Parameters

    is exactly

    Type powershell.exe.

    Parent process

    is in application group

    Click Select and select the application group you created in Create a new application group, then select direct parent only.

  6. Under Options, select Include child processes, then click Done.

    This is only relevant in the policy with the Allow action.

  7. Click Add definition again and make sure the Definition type is set to Executable (default).

  8. In the Properties section, create the following properties:

    Property

    Setting

    Values

    Parameters

    is exactly

    Type cmd.exe.

    Parent process

    is in application group

    Click Select and select the application group you created in Create a new application group, then select direct parent only.

  9. Under Options, select Include child processes.

    This is only relevant in the policy with the Allow action.

  10. Click Done. You can see that both application definitions are listed under the policy scope.

  11. Under Targets, select the computers, AD computer groups, and OS users that this policy will apply to. For details, see Create a policy.

  12. Under Audit, set Audit policy enforcement to On.

  13. Click Create.

Check the audits

Check the policy audits to see if EPM detected powershell.exe or cmd.exe events that were executed by java.exe.

  1. In the EPM management console, click Policy Audit.

  2. In the Audit event filter, type powershell.exe then click Apply to see the events that EPM detected.

  3. In the Audit event filter, type cmd.exe then click Apply to see the events that EPM detected.