Log4Shell Scanning Detected

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Log4j scanning attempt occurs in your environment.

Strategy

Regex search on logs to find specific payloads indicative of Log4j scanning.

Triage and response

  1. Investigate if the host is running a vulnerable version of the Log4j Java library
  2. Use the Log4j Investigation Dashboard to conduct impact analysis
  3. Explore what other services the attacker hit in the last day - Linked to investigation query
  4. Explore Java logs associated with the attacker - linked to investigation query