Initial Access: Log4j Compromise Attempt

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

This finding is generated when Java Naming and Directory Interface (JNDI) lookups within headers or URL parameters are detected. These lookups may indicate attempts at Log4Shell exploitation. To respond to this finding, do the following:

Step 1: Review finding details

1. Open an Initial Access: Log4j Compromise Attempt finding, as directed in Reviewing finding details. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected
   • Affected resource
   • Related links, especially the following fields:
     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
     • Related findings: links to any related findings.
   • In the detail view of the finding, click the JSON tab.

   • In the JSON, note the following fields.

   • properties

     • loadBalancerName: the name of the load balancer that received the JNDI lookup
     • requestUrl: the request URL of the HTTP request. If present, this contains a JNDI lookup.
     • requestUserAgent: the user agent that sent the HTTP request. If present, this contains a JNDI lookup.
     • refererUrl: the URL of the page that sent the HTTP request. If present, this contains a JNDI lookup.

Step 2: Check logs

1. In the Google Cloud console, go to Logs Explorer by clicking the link in the Cloud Logging URI field from step 1.

2. On the page that loads, check the httpRequest fields for string tokens like ${jndi:ldap:// that may indicate possible exploitation attempts.

   See CVE-2021-44228: Detecting Log4Shell exploit in the Logging documentation for example strings to search for and for an example query.

Step 3: Research attack and response methods

1. Review the MITRE ATT&CK framework entry for this finding type: Exploit Public-Facing Application.
2. Review related findings by clicking the link on the Related findings on the Related findings row in the Summary tab of the finding details. Related findings are the same finding type and the same instance and network.
3. To develop a response plan, combine your investigation results with MITRE research.

Step 4: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

• Upgrade to the latest version of Log4j2.
• Follow Google Cloud's recommendations for investigating and responding to the "Apache Log4j 2" vulnerability.
• Implement the recommended mitigation techniques in Apache Log4j Security Vulnerabilities.
• If you use Google Cloud Armor, deploy the cve-canary rule into a new or existing Cloud Armor security policy. For more information, see Google Cloud Armor WAF rule to help mitigate Apache Log4j vulnerability.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.