Emerging Threathightest

Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon

Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

kostastsaleCreated Fri Jan 143eb91f0a-0060-424a-a676-59f5fdd756102021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\ws_TomcatService.exe'
    filter_main_shells:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection and not 1 of filter_main_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2021-44228detection.emerging-threats

Rule Metadata

Rule ID

3eb91f0a-0060-424a-a676-59f5fdd75610

Status

test

Level

high

Type

Emerging Threat

Created

Fri Jan 14

Author

kostastsale

Path

rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml

Raw Tags

attack.initial-accessattack.t1190cve.2021-44228detection.emerging-threats

View on GitHub