KSU Scanning and Monitoring Guide for LOG4J

System Administrator Guidance 

Anyone who manages a significant number of servers or workstations will eventually face the question of whether or not there has been a compromise of one of their systems. The following guidelines will help you look for and identify suspicious activity. 

If you encounter a system that has this vulnerability, the KSU Cyber Security Incident Response Team (KSU CSIRT) recommends that you treat the endpoint with caution.  It is suggested that you work to patch and remediate the issue.  If you cannot do so without causing a major system outage or are unsure please contact the KSU Information Security Team at Security@kent.edu (Subject Line: “LOG4J Concerns”). 

If you encounter a system that has been compromised, treat it as you would any system in that condition.  It is recommended that you NOT shut down the asset.  Instead, immediately contact the KSU Information Security Team at Security@kent.edu (Subject Line: “LOG4J Potential Compromise”).  This is especially important if the system may store or process KSU sensitive data.  KSU Sensitive Data is considered Moderate, High, or Critical according to the  KSU Data Classification Standard.   

Utilize the following to detect if you have this vulnerability or potential compromise: 
 

Microsoft Defender Endpoint Scanning 

Verify that your system is running Microsoft Defender Endpoint  If not installed, contact the KSU CSIRT Security@kent.edu (Subject Line: “LOG4J Concerns”). 

If installed, follow this guidance from Microsoft  Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation 
 

Check Running Process 

A quick check of the processes running on your system (desktops, laptops, and servers) can sometimes find malware as well as resource-consuming processes that are simply unneeded and hinder performance. When looking at running processes, you should: 

  • Do an internet search for any suspect process names.  Those that that might be unknown to you or not readily discoverable. Many necessary processes have names that do not describe their purpose. Do not assume that if you don't recognize it it's not needed for the system to function. 
  • Check where a process is running from (the location of its executable file). For example, malware that is downloaded by the user of a computer will often run from space that user can access, such as the temp  or downloads folders. Any unexpected processes running from "temp" or similar space should be checked. 
  • Remember that if malicious software is running from within a user's profile, you may not see the same process running when logged in as another user account. If a problem only appears when a particular user logs in, be sure to check their profile/user space. 
     

Check Network, System, and Logging Activity  

  • NETSTAT:  The network statistics (netstat) command is a networking tool used for troubleshooting and configuration.  It can also serve as a monitoring tool for connections over the network. Both incoming and outgoing connections, routing tables, port listening, and usage statistics are common uses for this command.  Look for connections that do not appear to be consistent with usage or services provided.  Full listing - https://en.wikipedia.org/wiki/Netstat   

Examine any application or operating system logs to look for signs of unauthorized access, such as: 

  • Successful logins from unknown or unexpected accounts. 
  • Logging setting changes, such as logging being disabled or logs having been "cleared" unexpectedly. 
  • Remote or off-campus connections (if those are not normal for your system). 
  • Unexpected changes in service status (startup, shutdown). 
  • Unexpected installation or removal of software. 

To check specific system logs: 

  • Viewing Windows Logs: Click "Control Panel" > "System and Security" > "Administrative Tools", and then double-click "Event Viewer" Click to expand "Windows Logs" in the left pane, and then select "Application". 
  • Viewing Red Hat Logs: Linux logs will display with the command cd/var/log. Then, you can type ls to see the logs stored under this directory. 
  • Viewing MAC Logs: To view your Mac system logs, launch the Console app. You can launch it with Spotlight search by pressing Command+Space, typing “Console,” and then pressing Enter. You'll also find it at Finder > Applications > Utilities > Console 
     

Check for Unexpected Changes 

Look for the following types of unexpected changes as possible indicators that a system may have been compromised: 

  • Local user accounts that have been added, especially privileged accounts such as admin accounts or accounts in the admin group for that system. 
  • Services and processes that have been added or removed. 
  • Active network connections to unfamiliar or unexpected networks. 
  • File system changes, such as data missing or added, or new directories being created. 
  • Drastic changes in available space on a drive (sudden loss of free space). 
  • Local firewall rules that have changed, particularly new firewall openings. 
  • Unexpected scheduled tasks (Windows) or cron jobs (Unix). 
     

Report Suspicious Activity 

Report any suspicious activity that you find to: Security@kent.edu (Subject Line: “LOG4J Potential Compromise").   

© 2024 Kent State University All rights reserved.