Log4j vulnerability (Legacy UI)
This topic describes how EPM addresses exploitation of the Log4j vulnerability by attackers.
Overview
Attackers can exploit the Log4j vulnerability to access your enterprise environment. It’s important to emphasize that EPM does not automatically block an attack that utilizes the Log4j vulnerability, but helps identify and block suspicious activities that might be caused due to exploitation of this vulnerability.
One of the methods we use to detect exploitation of Log4j vulnerabilities is to detect instances of java.exe that are used as a parent process for cmd.exe or powershell.exe, as it is very unlikely that java.exe initiates these processes.
You can configure an advanced EPM policy to detect or block cmd.exe or powershell.exe from being initiated when it is executed by java.exe. For monitoring purposes, we recommend that you set the policy to Detect mode for a short period of time (days), and then change it to Restrict mode.
Protect your environment
The following diagram shows how to leverage EPM to protect your environment against the Log4j vulnerability.
Watch the video
Activate policy audits in your Set
Make sure Policy Audit is activated in your Set:
-
In the left panel of the EPM Service console, click Advanced > Agent Configuration.
-
In the Data Collection parameters, set Collect Policy Usage Data to On.
-
Click Save in the top-right panel, then click Ok in the confirmation dialog box.
Create a new applications group
-
In the EPM Service console, go to Polices > Application Groups.
-
Click Groups, and select Add App Group.
-
Specify a name for the new group. For example, java application group.
-
In Policy Action, leave No Default Policy selected, then work through the wizard to finish creating the Application Group.
-
In the list of Custom Application Groups, click the name of the application group you have just created.
-
At the top of the pane, click Applications and select Add Application to open the Application wizard.
-
In the Application Type tab, leave Add Application selected and click Next.
-
In the Check By tab, leave Executable matching a set of parameters selected and click Next.
-
In the Parameters tab, set the following values:
Parameter
Value
File Name
java.exe
Signed by
Specific Publishers
Publishers
Oracle America, Inc.
-
Click Next to view a summary of the application group details, then click Finish.
Create an advanced policy
-
In the EPM Service console, go to Polices > Advanced Polices.
-
Click Actions, and select Create Application Policy.
-
Specify a name for the new policy. For example, java.exe execute powershell.exe or cmd.exe.
-
Select the action that determines how the policy will handle cases where java.exe executes cmd.exe or powershell.exe processes:
Action
Policy action
Detect
Run Normally
Block
Block Application
-
Click Next and in the following tabs select the computers, AD computer groups, and OS users that this policy will apply to.
-
In the Applications tab, add powershell.exe to the policy:
Click New to open the Application wizard, and and set the following values:
Tab
Settings
Application Type
Select Run Executable.
Check By
Select Executable matching a set of parameters.
Parameters
In File Name, type powershell.exe.
Leave the rest of the fields empty.
Child Processes
Select Child Processes will behave according to other Policies.
Parent Process
Check Apply to Application only if its parent process belongs to group:, then select the application group you created in the previous procedure.
Select Check direct parent process only.
Source
No settings required
Final
Review the policy settings and make sure they're all correct.
Click Finish to complete this step.
-
While still in the Applications tab, add cmd.exe to the policy:
Click New to open the Application wizard, and and set the following values:
Tab
Settings
Application Type
Select Run Executable.
Check By
Select Executable matching a set of parameters.
Parameters
In File Name, type cmd.exe.
Leave the rest of the fields empty.
Child Processes
Select Child Processes will behave according to other Policies.
Parent Process
Check Apply to Application only if its parent process belongs to group:, then select the application group you created in the previous procedure.
Select Check direct parent process only.
Source
No settings required
Final
Review the policy settings and make sure they're all correct.
Click Finish to complete this step.
You can see both applications listed for the policy to manage.
-
In the Audit tab, select Collect Policy Audit.
-
Click Next to proceed to the Final tab and review the policy settings, then click Finish to create the policy.
Check the audits
Check the Policy Audits to see if cmd.exe or powershell.exe were executed by java.exe.
-
In the EPM Service console, click Policy Audit.
-
In the Policy column, check for the policy you created above to see the occurrences that EPM detected.