Threat Hunting and Detection of the Log4j Exploit using the ExeonTrace NDR - Part II
In this blog post, we explain how to work with threatfeeds in ExeonTrace for the detection of devices compromised thorugh the Log4j vulnerability. Our first blog post provides you with more technical background information.
Working with threatfeeds for the detection of Log4J exploits in ExeonTrace
In its default configuration, ExeonTrace downloads selected high-reputation public threatfeeds regularly and checks for IOCs. You can check if this feature is enabled in your setup by opening the "Threat feed" tab under anomalies. If you see threatfeeds with the source "Exeon", it's safe to assume that the feature is currently active.
As false positives are always an issue with threatfeeds, the Exeon standard feed only contains few, selected sources. For customers who want to add additional sources, ExeonTrace offer the possibility to load custom threatfeeds. Many very extensive threatfeeds can be found on github, if one searches for log4j ioc. These threatfeeds are much more extensive, but oftentimes contain some false positives. A threat feed can be a simple list of IP addresses (one IP per line).
To load a custom threatfeed, open the threat feed tab under anomalies and click “Import threat feed”.
Select the desired file and confirm. Make sure to add a name and a description and change the score to 150 (default is 80). In the example below, we created a csv file from Threatmonits Log4j iocs from github.
You will now be informed whenever an endpoint tries to open a connection to one of the ips in the list.
Checking for previous indicators of compromise
Threat feeds are only checked going forward in time. For an event like the log4j vulnerability it is always important to know if any devices have connected to these known malicious IP addresses before they were made public in these threat feeds.
For this you can go to the “Client server pairs” tab under flow analytics. Change the tab to “Outbound” and copy all IPs of your threat feed into the filter bar. The filter bar supports up to 10000 ipv4 IPs or 1000 ipv6 IPs per search. If your threat feed is larger you would need to batch it into separate queries. Make sure to select a time range which makes sense. For example, last week. Depending on your setup the first query can take some time until all the historical data for the selected time range is loaded into the cache. After the initial loading all subsequent queries should then be much faster.
Make sure to select the checkboxes “include all ports” and “show failed connections”. It’s also a good idea to check the tab “Inbound” for suspicious activities, because in case of incomplete log data, connections are sometimes rotated.
Head of Professional Services