USE CASE: POST-EXPLOITATION IMPACT OF LOG4JSHELL VULNERABILITY
11 Jan 2022
Log4j vulnerability (CVE-2021-44228) allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors, is parsed and processed by the Log4j vulnerable component. Microsoft stated that a vast majority of post-exploitation activities had been observed and based on the nature of the vulnerability, once an attacker has full access and control of an application, they can perform a myriad of objectives including installing coin miners, Cobalt Strike to enable credential theft and lateral movement as well as exfiltrating data from compromised systems. Relevant to Log4j vulnerability below are the most common MITRE ATT@CK Techniques that an attacker may leverage to compromise systems.
TECHNIQUE#1 - Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.
CTM360: Mitigation Guidelines:
Note: Before disabling a service/configuration, please check if any endpoint requires it for a specific use case and only allow it where necessary.
Option 1:
Enable ASR (Attack Surface Reduction) from Group Policy: By leveraging MS ASR rules and relevant IDs to block specific actions from executing on Desktop or Server
Open Group Policy Editor [Local/Domain] click Computer Configuration > Policies > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction.
On Right Side double click on “Configure Attack surface reduction rules” and select Enabled.
Now under options: click on the Show… button and the Show Contents windows will Open.
In Value Name type the below IDs and set the Value to 1 for each rule and click OK to save settings.
Block execution of potentially obfuscated scripts
ID = 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Value = 1
Block JavaScript or VBScript from launching downloaded executable content
ID = D3E037E1-3EB8-44C8-A917-57927947596D Value = 1
Block Office application from creating child processes
ID = d4f940ab-401b-4efc-aadc-ad5f3c50688a Value = 1
Block Office applications from injecting code into other processes
ID = 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Value = 1
Block Win32 API calls from Office macros
ID = 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Value = 1
Option 2:
Block Office Macros From Group Policy
(Below steps for Microsoft office 2016/2019) Install the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool on the Active Directory Domain Controller Upon completing the installation, follow the steps below: (For office2016, download the templates from Microsoft. Download link)
Open Group Policy Editor[Local/Domain] > User Configuration > Policies > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center
On the right side double click on “Block macros from running in Office files from the Internet” and select Enabled > Click OK to save settings. Double click on “VBA Macro Notification Settings” and select Enabled
Under options select "Disable all without notification" from the drop-down list. Note: Follow the above steps to disable Macros for other Microsoft Office Applications like Excel, PowerPoint etc.)
Option 3:
Enable Controlled Folder Access Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Open Group Policy Editor[Local/Domain] > Computer Configuration > Policies > Administrative Templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access
On the right side window double click on “Configure Controlled folder access” and select Enabled
Under options > Configure the guard my folders feature Select Block from the drop-down list and Click OK to Save Settings. This is a strict mode where untrusted apps cannot make any changes to files inside protected folders.
Note: Enable this with caution as it may affect the organization’s productivity
- TECHNIQUE#2 - Ingress Tool Transfer
- TECHNIQUE#3 - Command and Scripting Interpreter: PowerShell
- TECHNIQUE#4 - Command and Scripting Interpreter: Windows Command Shell
- TECHNIQUE#5 - OS Credential Dumping: LSASS Memory
- TECHNIQUE#6 - Windows Management Instrumentation
- TECHNIQUE#7 - Remote Services: Remote Desktop Protocol
- TECHNIQUE#8 - Remote Services: SMB/Windows Admin Shares
Recommendations
This hardening guide is part of CTM360’s ongoing strategy to provide actionable insights and tangible recommendations for major ransomware families. Our research team will be sharing such advisories frequently to ensure organizations globally become a harder target and can prevent the impact of ransomware proactively. We invite your feedback and welcome your input for future editions of our security hardening series. Kindly reach out to monitor@ctm360.com for any communication.