← Back to Explore
splunk_escuCorrelation
Log4Shell CVE-2021-44228 Exploitation
The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems.
Detection Query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
WHERE All_Risk.analyticstories="Log4Shell CVE-2021-44228" All_Risk.risk_object_type="system"
BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 2
| `log4shell_cve_2021_44228_exploitation_filter`Author
Jose Hernandez, Splunk
References
Raw Content
name: Log4Shell CVE-2021-44228 Exploitation
id: 9be30d80-3a39-4df9-9102-64a467b24eac
version: 11
creation_date: '2022-01-27'
modification_date: '2026-05-13'
author: Jose Hernandez, Splunk
status: production
type: Correlation
description: The following analytic identifies potential exploitation of Log4Shell CVE-2021-44228 by correlating multiple MITRE ATT&CK tactics detected in risk events. It leverages Splunk's risk data model to calculate the distinct count of MITRE ATT&CK tactics from Log4Shell-related detections. This activity is significant because it indicates a high probability of exploitation if two or more distinct tactics are observed. If confirmed malicious, this activity could lead to initial payload delivery, callback to a malicious server, and post-exploitation activities, potentially resulting in unauthorized access, lateral movement, and further compromise of the affected systems.
data_source: []
search: |-
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
WHERE All_Risk.analyticstories="Log4Shell CVE-2021-44228" All_Risk.risk_object_type="system"
BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 2
| `log4shell_cve_2021_44228_exploitation_filter`
how_to_implement: To implement this correlation search a user needs to enable all detections in the Log4Shell Analytic Story and confirm it is generation risk events. A simple search `index=risk analyticstories="Log4Shell CVE-2021-44228"` should contain events.
known_false_positives: There are no known false positive for this search, but it could contain false positives as multiple detections can trigger and not have successful exploitation.
references:
- https://research.splunk.com/stories/log4shell_cve-2021-44228/
- https://www.splunk.com/en_us/blog/security/simulating-detecting-and-responding-to-log4shell-with-splunk.html
drilldown_searches:
- name: View the detection results for - "$risk_object$"
search: '%original_detection_search% | search risk_object = "$risk_object$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: Log4Shell CVE-2021-44228 Exploitation detected - $risk_object$
entity:
field: risk_object
type: system
score: 0
analytic_story:
- Log4Shell CVE-2021-44228
- CISA AA22-320A
asset_type: Endpoint
mitre_attack_id:
- T1105
- T1190
- T1059
- T1133
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.log
source: log4shell
sourcetype: stash
test_type: unit