Log4j vulnerability

This topic describes how EPM addresses exploitation of the Log4j vulnerability by attackers.

Overview

Attackers can exploit the Log4j vulnerability to access your enterprise environment. It’s important to emphasize that EPM does not automatically block an attack that utilizes the Log4j vulnerability, but helps identify and block suspicious activities that might be caused due to exploitation of this vulnerability.

One of the methods we use to detect exploitation of Log4j vulnerabilities is to detect instances of java.exe that are used as a parent process for cmd.exe or powershell.exe, as it is very unlikely that java.exe initiates these processes.

You can configure an advanced EPM policy to detect or block cmd.exe or powershell.exe from being initiated when it is executed by java.exe. For monitoring purposes, we recommend that you set the policy to Detect mode for a short period of time (days), and then change it to Restrict mode.

Protect your environment

The following diagram shows how to leverage EPM to protect your environment against the Log4j vulnerability.

Watch the video

Activate policy audits in your Set

Make sure Policy Audit is activated in your Set:

  1. In the left panel of the EPM Service console, click Advanced > Agent Configuration.

  2. In the Data Collection parameters, set Collect Policy Usage Data to On.

Create a new applications group

  1. In the EPM Service console, go to Polices > Application Groups.

  2. Click Groups, and select Add App Group.

  3. Specify a name for the new group. For example, java application group.

  4. In Policy Action, leave No Default Policy selected, then work through the wizard to finish creating the Application Group.

  5. In the list of Custom Application Groups, click the name of the application group you have just created.

  6. At the top of the pane, click Applications and select Add Application to open the Application wizard.

  7. In the Application Type tab, leave Add Application selected and click Next.

  8. In the Check By tab, leave Executable matching a set of parameters selected and click Next.

  9. In the Parameters tab, set the following values:

    Parameter

    Value

    File Name

    java.exe

    Signed by

    Specific Publishers

    Publishers

    Oracle America, Inc.

  10. Click Next to view a summary of the application group details, then click Finish.

Create an advanced policy

  1. In the EPM Service console, go to Polices > Advanced Polices.

  2. Click Actions, and select Create Application Policy.

  3. Specify a name for the new policy. For example, java.exe execute powershell.exe or cmd.exe.

  4. Select the action that determines how the policy will handle cases where java.exe executes cmd.exe or powershell.exe processes:

    Action

    Policy action

    Detect

    Run Normally

    Block

    Block Application

  5. Click Next and in the following tabs select the computers, AD computer groups, and OS users that this policy will apply to.

  6. In the Applications tab, add powershell.exe to the policy:

    Click New to open the Application wizard, and and set the following values:

    Tab

    Settings

    Application Type

    Select Run Executable.

    Check By

    Select Executable matching a set of parameters.

    Parameters

    In File Name, type powershell.exe.

    Leave the rest of the fields empty.

    Child Processes

    Select Child Processes will behave according to other Policies.

    Parent Process

    Check Apply to Application only if its parent process belongs to group:, then select the application group you created in the previous procedure.

    Select Check direct parent process only.

    Source

    No settings required

    Final

    Review the policy settings and make sure they're all correct.

    Click Finish to complete this step.

  7. While still in the Applications tab, add cmd.exe to the policy:

    Click New to open the Application wizard, and and set the following values:

    Tab

    Settings

    Application Type

    Select Run Executable.

    Check By

    Select Executable matching a set of parameters.

    Parameters

    In File Name, type cmd.exe.

    Leave the rest of the fields empty.

    Child Processes

    Select Child Processes will behave according to other Policies.

    Parent Process

    Check Apply to Application only if its parent process belongs to group:, then select the application group you created in the previous procedure.

    Select Check direct parent process only.

    Source

    No settings required

    Final

    Review the policy settings and make sure they're all correct.

    Click Finish to complete this step.

    You can see both applications listed for the policy to manage.

  8. In the Audit tab, select Collect Policy Audit.

  9. Click Next to proceed to the Final tab and review the policy settings, then click Finish to create the policy.

Check the audits

Check the Policy Audits to see if cmd.exe or powershell.exe were executed by java.exe.

  1. In the EPM Service console, click Policy Audit.

  2. In the Policy column, check for the policy you created above to see the occurrences that EPM detected.