LoFP LoFP / legitimate java applications may use perform outbound connections to these ports. filter as needed

Techniques

Sample rules

Outbound Network Connection from Java Using Default Ports

Description

The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.

Detection logic


| tstats prestats=t `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where (Processes.process_name="java.exe" OR Processes.process_name=javaw.exe OR Processes.process_name=javaw.exe) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| tstats prestats=t append=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port= 389 OR All_Traffic.dest_port= 636 OR All_Traffic.dest_port = 1389 OR All_Traffic.dest_port = 1099 ) by All_Traffic.action All_Traffic.app All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.process_id 
| `drop_dm_object_name(All_Traffic)` 
| table action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product app dest_ip dest_port direction dvc protocol protocol_version src src_ip src_port transport 
| stats values(action) as action values(dest) as dest values(original_file_name) as original_file_name values(parent_process) as parent_process values(parent_process_exec) as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id) as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path) as parent_process_path values(process) as process values(process_exec) as process_exec values(process_hash) as process_hash values(process_guid) as process_guid values(process_integrity_level) as process_integrity_level values(process_name) as process_name values(process_path) as process_path values(user) as user values(user_id) as user_id values(vendor_product) as vendor_product values(app) as app values(dest_ip) as dest_ip values(dest_port) as dest_port values(direction) as direction values(dvc) as dvc values(protocol) as protocol values(protocol_version) as protocol_version values(src) as src values(src_ip) as src_ip values(src_port) as src_port values(transport) as transport by process_id 
| where isnotnull(process_name) AND isnotnull(dest_port) 
| `outbound_network_connection_from_java_using_default_ports_filter`