www.microsoft.com
Open in
urlscan Pro
2a02:26f0:fb:59d::356e
Public Scan
URL:
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-...
Submission: On January 04 via api from QA — Scanned from DE
Submission: On January 04 via api from QA — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/search/explore
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/search/explore" method="GET"
data-seautosuggest="{"queryParams":{"market":"en-us","clientId":"7F27B536-CF6B-4C65-8638-A0F8CBDFCA65","sources":"Iris-Products,DCatAll-Products,Microsoft-Terms","filter":"+ClientType:StoreWeb","counts":"1,5,5"},"familyNames":{"Apps":"App","Books":"Book","Bundles":"Bundle","Devices":"Device","Fees":"Fee","Games":"Game","MusicAlbums":"Album","MusicTracks":"Song","MusicVideos":"Video","MusicArtists":"Artist","OperatingSystem":"Operating System","Software":"Software","Movies":"Movie","TV":"TV","CSV":"Gift Card","VideoActor":"Actor"}}"
data-seautosuggestapi="https://www.microsoft.com/services/api/v3/suggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search" name="q" role="text"
placeholder="Search Microsoft.com" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip" data-placement="right"
title="Search Microsoft.com" style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<button id="search" aria-label="Search Microsoft.com" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}" data-bi-dnt="true"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft.com</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
</div>
</form>Text Content
We use cookies to improve your experience on our websites and for advertising.
Privacy Statement
Accept all Manage cookies
Skip to main content
Try the browser recommended by Microsoft Get speed, security and privacy with
Microsoft Edge
No thanks Switch now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Compliance management
* Identity & access management Identity & access management
* Decentralized identity
* Identity & access management overview
* Identity compromise protection
* Identity governance
* Seamless user experiences
* Secure app access
* Unified identity management
* Information protection & governance
* Risk management
* Secure remote work
* Threat protection
* Zero Trust
* Products
* App & email security App & email security
* Azure Dedicated HSM
* Azure Key Vault
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Office 365
* Compliance Compliance
* Compliance management
* Information protection & governance
* Risk management
* Endpoint security Endpoint security
* Azure IoT Central
* Azure Sphere
* Microsoft Defender for Business
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
* Microsoft Defender for IoT
* Microsoft Endpoint Manager
* Identity & access management Identity & access management
* Azure Active Directory
* Conditional Access
* External identities
* Identity protection
* Multifactor authentication (MFA)
* Passwordless Authentication
* Privileged Identity Management (PIM)
* SSO solution: Secure app access with single sign-on
* Network security Network security
* Azure Application Gateway
* Azure DDoS Protection
* Azure Firewall
* Azure Firewall manager
* Azure Front-door
* Azure VPN Gateway
* Azure Web Application Firewall
* Privacy management
* Security posture Security posture
* Microsoft Defender for Cloud
* Microsoft Secure Score
* SIEM & XDR SIEM & XDR
* Microsoft 365 Defender
* Microsoft Defender for Cloud
* Microsoft Defender for Endpoint
* Microsoft Defender for IoT
* Microsoft Sentinel
* Partners
* Find a partner
* Government partners
* Industry alliances
* Microsoft Intelligent Security Association
* Partners overview
* Resources
* Intelligence reports
* Security blog
* Security operations
* Security technical content
* Service Trust Portal
* Services Services
* Compliance Program for Microsoft Cloud
* Trust Center
* Webinars, whitepapers & more
* More
* All Microsoft
* * Microsoft 365
* Azure
* Office 365
* Dynamics 365
* Power Platform
* Windows 10
* Products & Services Products & Services
* Windows Server
* Enterprise Mobility + Security
* Power BI
* Teams
* Visual Studio
* Microsoft Advertising
* Emerging Technologies Emerging Technologies
* AI
* Internet of Things
* Azure Cognitive Services
* Quantum
* Microsoft HoloLens
* Mixed Reality
* Developer & IT Developer & IT
* Docs
* Developer Center
* Windows Dev Center
* Windows IT Pro Center
* FastTrack
* Power Platform
* Partner Partner
* Partner Network
* Solution Providers
* Partner Center
* Cloud Hosting
* Industries Industries
* Education
* Financial services
* Government
* Health
* Manufacturing & resources
* Retail
* Other Other
* Security
* Licensing
* AppSource
* Azure Marketplace
* Events
* Research
* View Sitemap
Search Search Microsoft.com
Cancel
December 11, 2021
GUIDANCE FOR PREVENTING, DETECTING, AND HUNTING FOR EXPLOITATION OF THE LOG4J 2
VULNERABILITY
* Microsoft 365 Defender Threat Intelligence Team
* Microsoft Threat Intelligence Center (MSTIC)
Share
* Twitter
* LinkedIn
* Facebook
* Email
* Print
January 3, 2022 recap – The Log4j vulnerabilities represent a complex and
high-risk situation for companies across the globe. This open-source component
is widely used across many suppliers’ software and services. By nature of Log4j
being a component, the vulnerabilities affect not only applications that use
vulnerable libraries, but also any services that use these applications, so
customers may not readily know how widespread the issue is in their environment.
Customers are encouraged to utilize scripts and scanning tools to assess their
risk and impact. Microsoft has observed attackers using many of the same
inventory techniques to locate targets. Sophisticated adversaries (like
nation-state actors) and commodity attackers alike have been observed taking
advantage of these vulnerabilities. There is high potential for the expanded use
of the vulnerabilities.
Exploitation attempts and testing have remained high during the last weeks of
December. We have observed many existing attackers adding exploits of these
vulnerabilities in their existing malware kits and tactics, from coin miners to
hands-on-keyboard attacks. Organizations may not realize their environments may
already be compromised. Microsoft recommends customers to do additional review
of devices where vulnerable installations are discovered. At this juncture,
customers should assume broad availability of exploit code and scanning
capabilities to be a real and present danger to their environments. Due to the
many software and services that are impacted and given the pace of updates, this
is expected to have a long tail for remediation, requiring ongoing, sustainable
vigilance.
The remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as
“Log4Shell” (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) has presented a new
attack vector and gained broad attention due to its severity and potential for
widespread exploitation. The majority of attacks we have observed so far have
been mainly mass-scanning, coin mining, establishing remote shells, and red-team
activity, but it’s highly likely that attackers will continue adding exploits
for these vulnerabilities to their toolkits.
With nation-state actors testing and implementing the exploit and known
ransomware-associated access brokers using it, we highly recommend applying
security patches and updating affected products and services as soon as
possible. Refer to the Microsoft Security Response Center blog for technical
information about the vulnerabilities and mitigation recommendations.
Meanwhile, defenders need to be diligent in detecting, hunting for, and
investigating related threats. This blog reports our observations and analysis
of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides
our recommendations for using Microsoft security solutions to (1) find and
remediate vulnerable services and systems and (2) detect, investigate, and
respond to attacks.
This blog covers the following topics:
1. Attack vectors and observed activity
2. Finding and remediating vulnerable apps and systems
* Threat and vulnerability management
* Microsoft 365 Defender advanced hunting
* Microsoft Defender for Cloud
* Microsoft Defender for servers
* Microsoft Defender for Containers
* Microsoft Sentinel queries
* RiskIQ EASM and Threat Intelligence
3. Detecting and responding to exploitation attempts and other related attacker
activity
* Microsoft 365 Defender
* Microsoft Defender Antivirus
* Microsoft Defender for Endpoint
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Office 365
* Microsoft 365 Defender advanced hunting
* Microsoft Defender for Cloud
* Microsoft Defender for IoT
* Microsoft Sentinel
* Microsoft Sentinel queries
* Azure Firewall Premium
* Azure Web Application Firewall (WAF)
4. Indicators of compromise (IoCs)
ATTACK VECTORS AND OBSERVED ACTIVITY
Microsoft’s unified threat intelligence team, comprising the Microsoft Threat
Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team,
RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have
been tracking threats taking advantage of the remote code execution (RCE)
vulnerabilities in Apache Log4j 2 referred to as “Log4Shell”.
The bulk of attacks that Microsoft has observed at this time have been related
to mass scanning by attackers attempting to thumbprint vulnerable systems, as
well as scanning by security companies and researchers. An example pattern of
attack would appear in a web request log with strings like the following:
An attacker performs an HTTP request against a target system, which generates a
log using Log4j 2 that leverages JNDI to perform a request to the
attacker-controlled site. The vulnerability then causes the exploited process to
reach out to the site and execute the payload. In many observed attacks, the
attacker-owned parameter is a DNS logging system, intended to log a request to
the site to fingerprint the vulnerable systems.
The specially crafted string that enables exploitation of the vulnerabilities
can be identified through several components. The string contains “jndi”, which
refers to the Java Naming and Directory Interface. Following this, the protocol,
such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, precedes the attacker
domain.
As security teams work to detect the exploitation, attackers have added
obfuscation to these requests to evade detections based on request patterns.
We’ve seen things like running a lower or upper command within the exploitation
string and even more complicated obfuscation attempts, such as the following,
that are all trying to bypass string-matching detections:
The vast majority of observed activity has been scanning, but exploitation and
post-exploitation activities have also been observed. Based on the nature of the
vulnerabilities, once the attacker has full access and control of an
application, they can perform a myriad of objectives. Microsoft has observed
activities including installing coin miners, using Cobalt Strike to enable
credential theft and lateral movement, and exfiltrating data from compromised
systems.
EXPLOITATION CONTINUES ON NON-MICROSOFT HOSTED MINECRAFT SERVERS
Minecraft customers running their own servers are encouraged to deploy the
latest Minecraft server update as soon as possible to protect their users. More
information can be found here: https://aka.ms/mclog.
Microsoft can confirm public reports of the Khonsari ransomware family being
delivered as payload post-exploitation, as discussed by Bitdefender. In
Microsoft Defender Antivirus data we have observed a small number of cases of
this being launched from compromised Minecraft clients connected to modified
Minecraft servers running a vulnerable version of Log4j 2 via the use of a
third-party Minecraft mods loader.
In these cases, an adversary sends a malicious in-game message to a vulnerable
Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an
attacker-hosted payload on both the server and on connected vulnerable clients.
We observed exploitation leading to a malicious Java class file that is the
Khonsari ransomware, which is then executed in the context of javaw.exe to
ransom the device.
While it’s uncommon for Minecraft to be installed in enterprise networks, we
have also observed PowerShell-based reverse shells being dropped to Minecraft
client systems via the same malicious message technique, giving an actor full
access to a compromised system, which they then use to run Mimikatz to steal
credentials. These techniques are typically associated with enterprise
compromises with the intent of lateral movement. Microsoft has not observed any
follow-on activity from this campaign at this time, indicating that the attacker
may be gathering access for later use.
Due to the shifts in the threat landscape, Microsoft reiterates the guidance for
Minecraft customers running their own servers to deploy the latest Minecraft
server update and for players to exercise caution by only connecting to trusted
Minecraft servers.
NATION-STATE ACTIVITY
MSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple
tracked nation-state activity groups originating from China, Iran, North Korea,
and Turkey. This activity ranges from experimentation during development,
integration of the vulnerabilities to in-the-wild payload deployment, and
exploitation against targets to achieve the actor’s objectives.
For example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy
ransomware, acquiring and making modifications of the Log4j exploit. We assess
that PHOSPHORUS has operationalized these modifications.
In addition, HAFNIUM, a threat actor group operating out of China, has been
observed utilizing the vulnerability to attack virtualization infrastructure to
extend their typical targeting. In these attacks, HAFNIUM-associated systems
were observed using a DNS service typically associated with testing activity to
fingerprint systems.
ACCESS BROKERS ASSOCIATED WITH RANSOMWARE
MSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked
activity groups acting as access brokers have begun using the vulnerability to
gain initial access to target networks. These access brokers then sell access to
these networks to ransomware-as-a-service affiliates. We have observed these
groups attempting exploitation on both Linux and Windows systems, which may lead
to an increase in human-operated ransomware impact on both of these operating
system platforms.
MASS SCANNING ACTIVITY CONTINUES
The vast majority of traffic observed by Microsoft remains mass scanners by both
attackers and security researchers. Microsoft has observed rapid uptake of the
vulnerability into existing botnets like Mirai, existing campaigns previously
targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and
activity deploying the Tsunami backdoor to Linux systems. Many of these
campaigns are running concurrent scanning and exploitation activities for both
Windows and Linux systems, using Base64 commands included in the JDNI:ldap://
request to launch bash commands on Linux and PowerShell on Windows.
Microsoft has also continued to observe malicious activity performing data
leakage via the vulnerability without dropping a payload. This attack scenario
could be especially impactful against network devices that have SSL termination,
where the actor could leak secrets and data.
RANSOMWARE UPDATE
Microsoft has not observed significant spikes in ransomware attacks, whether
human-operated or commodity. We have previously reported ransomware delivered
via modified Minecraft clients and have seen continued exploitation and payload
delivery via this mechanism, but these remain to be a small number of cases. As
previously discussed, we continue to observe access brokers who are associated
with ransomware-as-a-service affiliates including the vulnerability in their
initial access toolkit.
What Microsoft has seen are older ransomware payloads in limited use being
deployed by security researchers and a small number of attackers. In some
instances, they appear to be experimenting with deployments via scanning and
modified Minecraft servers. As part of these experiments, some ransomware
payloads seem to have been deployed to systems that were previously compromised
and were originally dropping coin miner payloads.
ADDITIONAL RAT PAYLOADS
We’ve observed the dropping of additional remote access toolkits and reverse
shells via exploitation of CVE-2021-44228, which actors then use for
hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell
reverse shells seen in earlier reports, we’ve also seen Meterpreter, Bladabindi,
and HabitsRAT. Follow-on activities from these shells have not been observed at
this time, but these tools have the ability to steal passwords and move
laterally.
This activity is split between a percentage of small-scale campaigns that may be
more targeted or related to testing, and the addition of CVE-2021-44428 to
existing campaigns that were exploiting vulnerabilities to drop remote access
tools. In the HabitsRAT case, the campaign was seen overlapping with
infrastructure used in prior campaigns.
WEBTOOS
The Webtoos malware has DDoS capabilities and persistence mechanisms that could
allow an attacker to perform additional activities. As reported by RiskIQ,
Microsoft has seen Webtoos being deployed via the vulnerability. Attackers’ use
of this malware or intent is not known at this time, but the campaign and
infrastructure have been in use and have been targeting both Linux and Windows
systems prior to this vulnerability.
A NOTE ON TESTING SERVICES AND ASSUMED BENIGN ACTIVITY
While services such as interact.sh, canarytokens.org, burpsuite, and dnslog.cn
may be used by IT organizations to profile their own threat footprints,
Microsoft encourages including these services in your hunting queries and
validating observations of these in environments to ensure they are intentional
and legitimate activity.
FINDING AND REMEDIATING VULNERABLE APPS AND SYSTEMS
THREAT AND VULNERABILITY MANAGEMENT
Threat and vulnerability management capabilities in Microsoft Defender for
Endpoint monitor an organization’s overall security posture and equip customers
with real-time insights into organizational risk through continuous
vulnerability discovery, intelligent prioritization, and the ability to
seamlessly remediate vulnerabilities.
In the case of the Log4j vulnerabilities, threat and vulnerability management
automatically and seamlessly identifies impacted devices and the associated risk
in the environment and significantly reduces time-to-mitigate.
The wide use of Log4j across many supplier’s products challenge defender teams
to mitigate and address the risks posed by the vulnerabilities (CVE-2021-44228
or CVE-2021-45046). The threat and vulnerability management capabilities within
Microsoft 365 Defender can help identify vulnerable installations. On December
15, we began rolling out updates to provide a consolidated view of the
organizational exposure to the Log4j 2 vulnerabilities—on the device, software,
and vulnerable component level—through a range of automated, complementing
capabilities. These capabilities are supported on Windows 10, Windows 11, and
Windows Server 2008, 2012, and 2016. They are also supported on Linux, but they
require updating the Microsoft Defender for Endpoint Linux client to version
101.52.57 (30.121092.15257.0) or later. The updates include the following:
* Discovery of vulnerable Log4j library components (paths) on devices
* Discovery of vulnerable installed applications that contain the Log4j library
on devices
* A dedicated Log4j dashboard that provides a consolidated view of various
findings across vulnerable devices, vulnerable software, and vulnerable files
* Introduction of a new schema in advanced hunting,
DeviceTvmSoftwareEvidenceBeta, which surfaces file-level findings from the
disk and provides the ability to correlate them with additional context in
advanced hunting:
DeviceTvmSoftwareEvidenceBeta
| mv-expand DiskPaths
| where DiskPaths contains "log4j"
| project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths
To complement this new table, the existing DeviceTvmSoftwareVulnerabilities
table in advanced hunting can be used to identify vulnerabilities in installed
software on devices:
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2021-44228", "CVE-2021-45046")
These new capabilities integrate with the existing threat and vulnerability
management experience and are gradually rolling out. As of December 27, 2021,
discovery is based on installed application CPEs that are known to be vulnerable
to Log4j RCE, as well as the presence of vulnerable Log4j Java Archive (JAR)
files. Cases where Log4j is packaged into an Uber-JAR or shaded are currently
not discoverable, but support for discovery of these instances and other
packaging methods is in development. Support for macOS is also in progress and
will roll out soon.
Figure 1. Threat and Vulnerability recommendation “Attention required: Devices
found with vulnerable Apache Log4j versions”
On the Microsoft 365 Defender portal, go to Vulnerability management > Dashboard
> Threat awareness, then click View vulnerability details to see the
consolidated view of organizational exposure to the Log4j 2 vulnerability (for
example, CVE-2021-44228 dashboard, as shown in the following screenshots) on the
device, software, and vulnerable component level.
Figure 2. Threat and vulnerability management dedicated CVE-2021-44228 dashboard
Figure 3. Threat and vulnerability management finds exposed paths
Figure 4. Threat and vulnerability management finds exposed devices based on
vulnerable software and vulnerable files detected on disk
Note: Scan results may take some time to reach full coverage, and the number of
discovered devices may be low at first but will grow as the scan reaches more
devices. A regularly updated list of vulnerable products can be viewed in the
Microsoft 365 Defender portal with matching recommendations. We will continue to
review and update this list as new information becomes available.
Through device discovery, unmanaged devices with products and services affected
by the vulnerabilities are also surfaced so they can be onboarded and secured.
Figure 5. Finding vulnerable applications and devices via software inventory
MICROSOFT 365 DEFENDER ADVANCED HUNTING
Advance hunting can also surface affected software. This query looks for
possibly vulnerable applications using the affected Log4j component. Triage the
results to determine applications and programs that may need to be patched and
updated.
DeviceTvmSoftwareInventory
| where SoftwareName contains "log4j"
| project DeviceName, SoftwareName, SoftwareVersion
Figure 6. Finding vulnerable software via advanced hunting
MICROSOFT DEFENDER FOR CLOUD
MICROSOFT DEFENDER FOR SERVERS
Organizations using Microsoft Defender for Cloud can use Inventory tools to
begin investigations before there’s a CVE number. With Inventory tools, there
are two ways to determine exposure across hybrid and multi-cloud resources:
* Vulnerability assessment findings – Organizations who have enabled any of the
vulnerability assessment tools (whether it’s Microsoft Defender for
Endpoint’s threat and vulnerability management module, the built-in Qualys
scanner, or a bring your own license solution), they can search by CVE
identifier:
Figure 7. Searching vulnerability assessment findings by CVE identifier
* Software inventory – With the combined integration with Microsoft Defender
for Endpoint and Microsoft Defender for servers, organizations can search for
resources by installed applications and discover resources running the
vulnerable software:
Figure 8. Searching software inventory by installed applications
Note that this doesn’t replace a search of your codebase. It’s possible that
software with integrated Log4j libraries won’t appear in this list, but this is
helpful in the initial triage of investigations related to this incident. For
more information about how Microsoft Defender for Cloud finds machines affected
by CVE-2021-44228, read this tech community post.
MICROSOFT DEFENDER FOR CONTAINERS
Microsoft Defender for Containers is capable of discovering images affected by
the vulnerabilities recently discovered in Log4j 2: CVE-2021-44228,
CVE-2021-45046, and CVE-2021-45105. Images are automatically scanned for
vulnerabilities in three different use cases: when pushed to an Azure container
registry, when pulled from an Azure container registry, and when container
images are running on a Kubernetes cluster. Additional information on supported
scan triggers and Kubernetes clusters can be found here.
Log4j binaries are discovered whether they are deployed via a package manager,
copied to the image as stand-alone binaries, or included within a JAR Archive
(up to one level of nesting).
We will continue to follow up on any additional developments and will update our
detection capabilities if any additional vulnerabilities are reported.
Finding affected images
To find vulnerable images across registries using the Azure portal, navigate to
the Microsoft Defender for Cloud service under Azure Portal. Open the Container
Registry images should have vulnerability findings resolved recommendation and
search findings for the relevant CVEs.
Figure 9. Finding images with the CVE-2021-45046 vulnerability
Find vulnerable running images on Azure portal [preview]
To view only vulnerable images that are currently running on a Kubernetes
cluster using the Azure portal, navigate to the Microsoft Defender for Cloud
service under Azure Portal. Open the Vulnerabilities in running container images
should be remediated (powered by Qualys) recommendation and search findings for
the relevant CVEs:
Figure 10. Finding running images with the CVE-2021-45046 vulnerability
Note: This recommendation requires clusters to run Microsoft Defender security
profile to provide visibility on running images.
Search Azure Resource Graph data
Azure Resource Graph (ARG) provides instant access to resource information
across cloud environments with robust filtering, grouping, and sorting
capabilities. It’s a quick and efficient way to query information across Azure
subscriptions programmatically or from within the Azure portal. ARG provides
another way to query resource data for resources found to be affected by the
Log4j vulnerability.
The following query finds resources affected by the Log4j vulnerability across
subscriptions. Use the additional data field across all returned results to
obtain details on vulnerable resources:
securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend Props = parse_json(properties)
| extend additionalData = Props.additionalData
| extend cves = additionalData.cve
| where isnotempty(cves) and array_length(cves) > 0
| mv-expand cves
| where tostring(cves) has "CVE-2021-44228" or tostring(cves) has "CVE-2021-45046" or tostring(cves) has "CVE-2021-45105"
MICROSOFT SENTINEL QUERIES
Microsoft Sentinel customers can use the following detection query to look for
devices that have applications with the vulnerability:
* Vulnerable machines related to Log4j CVE-2021-44228
This query uses the Microsoft Defender for Cloud nested recommendations data to
find machines vulnerable to Log4j CVE-2021-44228.
Microsoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab
Environment for testing the vulnerability:
https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell
RISKIQ EASM AND THREAT INTELLIGENCE
RiskIQ has published a few threat intelligence articles on this CVE, with
mitigation guidance and IOCs. The latest one with links to previous articles can
be found here. Both Community users and enterprise customers can search within
the threat intelligence portal for data about potentially vulnerable components
exposed to the Internet. For example, it’s possible to surface all observed
instances of Apache or Java, including specific versions. Leverage this method
of exploration to aid in understanding the larger Internet exposure, while also
filtering down to what may impact you.
For a more automated method, registered users can view their attack surface to
understand tailored findings associated with their organization. Note, you must
be registered with a corporate email and the automated attack surface will be
limited. Digital Footprint customers can immediately understand what may be
vulnerable and act swiftly and resolutely using the Attack Surface Intelligence
Dashboard Log4J Insights tab.
DETECTING AND RESPONDING TO EXPLOITATION ATTEMPTS AND OTHER RELATED ATTACKER
ACTIVITY
MICROSOFT 365 DEFENDER
Microsoft 365 Defender coordinates multiple security solutions that detect
components of observed attacks taking advantage of this vulnerability, from
exploitation attempts to remote code execution and post-exploitation activity.
Figure 11. Microsoft 365 Defender solutions protect against related threats
Customers can click Need help? in the Microsoft 365 Defender portal to open up a
search widget. Customers can key in “Log4j” to search for in-portal resource,
check if their network is affected, and work on corresponding actionable items
to mitigate them.
MICROSOFT DEFENDER ANTIVIRUS
Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover
rapidly evolving attacker tools and techniques. Cloud-based machine learning
protections block the majority of new and unknown variants. Microsoft Defender
Antivirus detects components and behaviors related to this threat as the
following detection names:
On Windows:
* Trojan:Win32/Capfetox.AA– detects attempted exploitation on the attacker
machine
* HackTool:Win32/Capfetox.A!dha – detects attempted exploitation on the
attacker machine
* VirTool:Win64/CobaltSrike.A, TrojanDropper:PowerShell/Cobacis.A – detects
Cobalt Strike Beacon loaders
* TrojanDownloader:Win32/CoinMiner – detects post-exploitation coin miner
* Trojan:Win32/WebToos.A – detects post-exploitation PowerShell
* Ransom:MSIL/Khonsari.A – detects a strain of the Khonsari ransomware family
observed being distributed post-exploitation
* Trojan:Win64/DisguisedXMRigMiner – detects post-exploitation cryptocurrency
miner
* TrojanDownloader:Java/Agent.S – detects suspicious class files used in
post-exploitation
On Linux:
* Trojan:Linux/SuspectJavaExploit.A, Trojan:Linux/SuspectJavaExploit.B,
Trojan:Linux/SuspectJavaExploit.C – blocks Java processes downloading and
executing payload through output redirection
* Trojan:Linux/BashMiner.A – detects post-exploitation cryptocurrency miner
* TrojanDownloader:Linux/CoinMiner – detects post-exploitation cryptocurrency
miner
* TrojanDownloader:Linux/Tusnami – detects post-exploitation Backdoor Tsunami
downloader
* Backdoor:Linux/Tusnami.C – detects post-exploitation Tsunami backdoor
* Backdoor:Linux/Setag.C – detects post-exploitation Gates backdoor
* Exploit:Linux/CVE-2021-44228.A, Exploit:Linux/CVE-2021-44228.B – detects
exploitation
* TrojanDownloader:Linux/Capfetox.A, TrojanDownloader:Linux/Capfetox.B
* TrojanDownloader:Linux/ShAgnt!MSR, TrojanDownloader:Linux/ShAgnt.A!MTB
* Trojan:Linux/Kinsing.L – detects post-exploitation cryptocurrency Kinsing
miner
* Trojan:Linux/Mirai.TS!MTB – detects post-exploitation Mirai malware capable
of performing DDoS
* Backdoor:Linux/Dakkatoni.az!MTB – detects post-exploitation Dakkatoni
backdoor trojan capable of downloading more payloads
* Trojan:Linux/JavaExploitRevShell.A – detects reverse shell attack
post-exploitation
* Trojan:Linux/BashMiner.A, Trojan:Linux/BashMiner.B – detects
post-exploitation cryptocurrency miner
MICROSOFT DEFENDER FOR ENDPOINT
Users of Microsoft Defender for Endpoint can turn on the following attack
surface reduction rule to block or audit some observed activity associated with
this threat.
* Block executable files from running unless they meet a prevalence, age, or
trusted list criterion
Due to the broad network exploitation nature of vectors through which this
vulnerability can be exploited and the fact that applying mitigations
holistically across large environments will take time, we encourage defenders to
look for signs of post-exploitation rather than fully relying on prevention.
Observed post exploitation activity such as coin mining, lateral movement, and
Cobalt Strike are detected with behavior-based detections.
Alerts with the following titles in the Security Center indicate threat activity
related to exploitation of the Log4j vulnerability on your network and should be
immediately investigated and remediated. These alerts are supported on both
Windows and Linux platforms:
* Log4j exploitation detected – detects known behaviors that attackers perform
following successful exploitation of the CVE-2021-44228 vulnerability
* Log4j exploitation artifacts detected (previously titled Possible
exploitation of CVE-2021-44228) – detects coin miners, shells, backdoor, and
payloads such as Cobalt Strike used by attackers post-exploitation
* Log4j exploitation network artifacts detected (previously titled Network
connection seen in CVE-2021-44228 exploitation) – detects network traffic
connecting traffic connecting to an address associated with CVE-2021-44228
scanning or exploitation activity
The following alerts may indicate exploitation attempts or testing/scanning
activity. Microsoft advises customers to investigate with caution, as these
alerts don’t necessarily indicate successful exploitation:
* Possible target of Log4j exploitation – detects a possible attempt to exploit
the remote code execution vulnerability in the Log4j component of an Apache
server in communication received by this device
* Possible target of Log4j vulnerability scanning – detects a possible attempt
to scan for the remote code execution vulnerability in a Log4j component of
an Apache server in communication received by this device
* Possible source of Log4j exploitation – detects a possible attempt to exploit
the remote code execution vulnerability in the Log4j component of an Apache
server in communication initiated from this device
* Possible Log4j exploitation – detects multiple behaviors, including
suspicious command launch post-exploitation
* Possible Log4j exploitation (CVE-2021-44228) – inactive, initially covered
several of the above, now replaced with more specific titles
The following alerts detect activities that have been observed in attacks that
utilize at least one of the Log4j vulnerabilities. However, these alerts can
also indicate activity that is not related to the vulnerability. We are listing
them here, as it is highly recommended that they are triaged and remediated
immediately given their severity and the potential that they could be related to
Log4j exploitation:
* Suspicious remote PowerShell execution
* Download of file associated with digital currency mining
* Process associated with digital currency mining
* Cobalt Strike command and control detected
* Suspicious network traffic connection to C2 Server
* Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
Some of the alerts mentioned above utilize the enhanced network inspection
capabilities in Microsoft Defender for Endpoint. These alerts correlate several
network and endpoint signals into high-confidence detection of successful
exploitation, as well as providing detailed evidence artifacts valuable for
triage and investigation of detected activities.
Figure 12. Example detection leveraging network inspection provides details
about the Java class returned following successful exploitation
MICROSOFT DEFENDER FOR CLOUD APPS (PREVIOUSLY MICROSOFT CLOUD APP SECURITY)
Microsoft 365 Defender detects exploitation patterns in different data sources,
including cloud application traffic reported by Microsoft Defender for Cloud
Apps. The following alert surfaces exploitation attempts via cloud applications
that use vulnerable Log4j components:
* Log4j exploitation attempt via cloud application (previously titled
Exploitation attempt against Log4j (CVE-2021-44228))
Figure 13. Microsoft 365 Defender alert “Exploitation attempt against Log4j
(CVE-2021-4428)”
MICROSOFT DEFENDER FOR OFFICE 365
To add a layer of protection against exploits that may be delivered via email,
Microsoft Defender for Office 365 flags suspicious emails (e.g., emails with the
“jndi” string in email headers or the sender email address field), which are
moved to the Junk folder.
We also added the following new alert, which detects attempts to exploit
CVE-2021-44228 through email headers:
* Log4j exploitation attempt via email (previously titled Log4j Exploitation
Attempt – Email Headers (CVE-2021-44228))
Figure 14. Sample alert on malicious sender display name found in email
correspondence
This detection looks for exploitation attempts in email headers, such as the
sender display name, sender, and recipient addresses. The alert covers known
obfuscation attempts that have been observed in the wild. If this alert is
surfaced, customers are recommended to evaluate the source address, email
subject, and file attachments to get more context regarding the authenticity of
the email.
Figure 15. Sample email with malicious sender display name
In addition, this email event as can be surfaced via advanced hunting:
Figure 16. Sample email event surfaced via advanced hunting
MICROSOFT 365 DEFENDER ADVANCED HUNTING QUERIES
To locate possible exploitation activity, run the following queries:
Possible malicious indicators in cloud application events
This query is designed to flag exploitation attempts for cases where the
attacker is sending the crafted exploitation string using vectors such as
User-Agent, Application or Account name. The hits returned from this query are
most likely unsuccessful attempts, however the results can be useful to identity
attackers’ details such as IP address, Payload string, Download URL, etc.
CloudAppEvents
| where Timestamp > datetime("2021-12-09")
| where UserAgent contains "jndi:"
or AccountDisplayName contains "jndi:"
or Application contains "jndi:"
or AdditionalFields contains "jndi:"
| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields
Alerts related to Log4j vulnerability
This query looks for alert activity pertaining to the Log4j vulnerability.
AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation',
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previouskly titled Log4j Exploitation Attempt
)
Devices with Log4j vulnerability alerts and additional other alert-related
context
This query surfaces devices with Log4j-related alerts and adds additional
context from other alerts on the device.
// Get any devices with Log4J related Alert Activity
let DevicesLog4JAlerts = AlertInfo
| where Title in~('Suspicious script launched',
'Exploitation attempt against Log4j (CVE-2021-44228)',
'Suspicious process executed by a network service',
'Possible target of Log4j exploitation (CVE-2021-44228)',
'Possible target of Log4j exploitation',
'Possible Log4j exploitation',
'Network connection seen in CVE-2021-44228 exploitation',
'Log4j exploitation detected',
'Possible exploitation of CVE-2021-44228',
'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',
'Possible source of Log4j exploitation'
'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j
'Log4j exploitation attempt via email' // Previouskly titled Log4j Exploitation Attempt
)
// Join in evidence information
| join AlertEvidence on AlertId
| where DeviceId != ""
| summarize by DeviceId, Title;
// Get additional alert activity for each device
AlertEvidence
| where DeviceId in(DevicesLog4JAlerts)
// Add additional info
| join kind=leftouter AlertInfo on AlertId
| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)
Suspected exploitation of Log4j vulnerability
This query looks for exploitation of the vulnerability using known parameters in
the malicious string. It surfaces exploitation but may surface legitimate
behavior in some environments.
DeviceProcessEvents
| where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')
//Removing FPs
| where not(ProcessCommandLine has_any('stackstorm', 'homebrew'))
Regex to identify malicious exploit string
This query looks for the malicious string needed to exploit this vulnerability.
DeviceProcessEvents
| where ProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'
or InitiatingProcessCommandLine matches regex @'(?i)\$\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\/\/(\$\{([a-z]){1,20}:([a-z]){1,20}\})?(([a-zA-Z0-9]|-){2,100})?(\.([a-zA-Z0-9]|-){2,100})?\.([a-zA-Z0-9]|-){2,100}\.([a-z0-9]){2,20}(\/).*}'
MICROSOFT DEFENDER FOR CLOUD
Microsoft Defender for Cloud’s threat detection capabilities have been expanded
to surface exploitation of CVE-2021-44228 in several relevant security alerts:
On Windows:
* Detected obfuscated command line
* Suspicious use of PowerShell detected
On Linux:
* Suspicious file download
* Possible Cryptocoinminer download detected
* Process associated with digital currency mining detected
* Potential crypto coin miner started
* A history file has been cleared
* Suspicious Shell Script Detected
* Suspicious domain name reference
* Digital currency mining related behavior detected
* Behavior similar to common Linux bots detected
MICROSOFT DEFENDER FOR IOT
Microsoft Defender for IoT has released a dedicated threat Intelligence update
package for detecting Log4j 2 exploit attempts on the network (example below).
Figure 17. Microsoft Defender for IoT alert
The package is available for download from the Microsoft Defender for IoT
portal (Click Updates, then Download file (MD5:
4fbc673742b9ca51a9721c682f404c41).
Figure 18. Microsoft Defender for IoT sensor threat intelligence update
Microsoft Defender for IoT now pushes new threat intelligence packages to
cloud-connected sensors upon release, click here for more information. Starting
with sensor version 10.3, users can automatically receive up-to-date threat
intelligence packages through Microsoft Defender for IoT.
Working with automatic updates reduces operational effort and ensures greater
security. Enable automatic updating on the Defender for IoT portal by onboarding
your cloud-connected sensor with the toggle for Automatic Threat Intelligence
Updates turned on. For more information about threat intelligence packages in
Defender for IoT, please refer to the documentation.
MICROSOFT SENTINEL
A new Microsoft Sentinel solution has been added to the Content Hub that
provides a central place to install Microsoft Sentinel specific content to
monitor, detect, and investigate signals related to exploitation of the
CVE-2021-44228 vulnerability.
Figure 19. Log4j Vulnerability Detection solution in Microsoft Sentinel
To deploy this solution, in the Microsoft Sentinel portal, select Content hub
(Preview) under Content Management, then search for Log4j in the search bar.
Select the Log4j vulnerability detection solution, and click Install. Learn how
to centrally discover and deploy Microsoft Sentinel out-of-the-box content and
solutions.
Figure 20. Microsoft Sentinel Analytics showing detected Log4j vulnerability
Note: We recommend that you check the solution for updates periodically, as new
collateral may be added to this solution given the rapidly evolving situation.
This can be verified on the main Content hub page.
MICROSOFT SENTINEL QUERIES
Microsoft Sentinel customers can use the following detection queries to look for
this activity:
* Possible exploitation of Apache Log4j component detected
This hunting query looks for possible attempts to exploit a remote code
execution vulnerability in the Log4j component of Apache. Attackers may attempt
to launch arbitrary code by passing specific commands to a server, which are
then logged and executed by the Log4j component.
* Cryptocurrency miners EXECVE
This query hunts through EXECVE syslog data generated by AUOMS to find instances
of cryptocurrency miners being downloaded. It returns a table of suspicious
command lines.
* Azure WAF Log4j CVE-2021-44228 hunting
This hunting query looks in Azure Web Application Firewall data to find possible
exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.
* Log4j vulnerability exploit aka Log4Shell IP IOC
This hunting query identifies a match across various data feeds for IP IOCs
related to the Log4j exploit described in CVE-2021-44228.
* Suspicious shell script detected
This hunting query helps detect post-compromise suspicious shell scripts that
attackers use for downloading and executing malicious files. This technique is
often used by attackers and was recently used to exploit the vulnerability in
Log4j component of Apache to evade detection and stay persistent or for more
exploitation in the network.
* Azure WAF matching for CVE-2021-44228 Log4j vulnerability
This query alerts on a positive pattern match by Azure WAF for CVE-2021-44228
Log4j exploitation attempt. If possible, it then decodes the malicious command
for further analysis.
* Suspicious Base64 download activity detected
This hunting query helps detect suspicious encoded Base64 obfuscated scripts
that attackers use to encode payloads for downloading and executing malicious
files. This technique is often used by attackers and was recently used to the
Log4j vulnerability in order to evade detection and stay persistent in the
network.
* Linux security-related process termination activity detected
This query alerts on attempts to terminate processes related to security
monitoring. Attackers often try to terminate such processes post-compromise as
seen recently to exploit the CVE-2021-44228 vulnerability.
* Suspicious manipulation of firewall detected via Syslog data
This query uses syslog data to alert on any suspicious manipulation of firewall
to evade defenses. Attackers often perform such operations as seen recently to
exploit the CVE-2021-44228 vulnerability for C2 communications or exfiltration.
* User agent search for Log4j exploitation attempt
This query uses various log sources having user agent data to look for
CVE-2021-44228 exploitation attempt based on user agent pattern.
* Network connections to LDAP port for CVE-2021-44228 vulnerability
This hunting query looks for connection to LDAP port to find possible
exploitation attempts for CVE-2021-44228.
* Linux toolkit detected
This query uses syslog data to alert on any attack toolkits associated with
massive scanning or exploitation attempts against a known vulnerability
* Container miner activity
This query uses syslog data to alert on possible artifacts associated with
containers running images related to digital cryptocurrency mining.
* Network connection to new external LDAP server
This query looks for outbound network connections using the LDAP protocol to
external IP addresses, where that IP address has not had an LDAP network
connection to it in the 14 days preceding the query timeframe. This could
indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger
the connection to a malicious LDAP server.
AZURE FIREWALL PREMIUM
Customers using Azure Firewall Premium have enhanced protection from the Log4j
RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS
(Intrusion Detection and Prevention System) provides IDPS inspection for all
east-west traffic and outbound traffic to internet. The vulnerability rulesets
are continuously updated and include CVE-2021-44228 vulnerability for different
scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below
screenshot shows all the scenarios which are actively mitigated by Azure
Firewall Premium.
Recommendation: Customers are recommended to configure Azure Firewall Premium
with both IDPS Alert & Deny mode and TLS inspection enabled for proactive
protection against CVE-2021-44228 exploit.
Figure 21. Azure Firewall Premium portal
Customers using Azure Firewall Standard can migrate to Premium by following
these directions. Customers new to Azure Firewall premium can learn more about
Firewall Premium.
AZURE WEB APPLICATION FIREWALL (WAF)
In response to this threat, Azure Web Application Firewall (WAF) has updated
Default Rule Set (DRS) versions 1.0/1.1 available for Azure Front Door global
deployments, and OWASP ModSecurity Core Rule Set (CRS) version 3.1 available for
Azure Application Gateway V2 regional deployments. We have updated rule 944240
“Remote Command Execution” under Managed Rules to help in detecting and
mitigating this vulnerability by inspecting requests’ headers, URI, and body.
This rule is already enabled by default in block mode for all existing WAF
Default Rule Set (DRS) 1.0/1.1 or OWASP ModSecurity Core Rule Set (CRS) 3.1
configurations. Customers using WAF Managed Rules would have already received
enhanced protection for the Log4j 2 vulnerability (CVE-2021-44228); no
additional action is needed.
Recommendation: Customers are recommended to enable WAF policy with Default Rule
Set 1.0/1.1 on their Front Door deployments, or with OWASP ModSecurity Core Rule
Set (CRS) version 3.1 on Application Gateway V2 to immediately enable protection
from this threat, if not already enabled. For customers who have already enabled
DRS 1.0/1.1 or CRS 3.1, no action is needed. We will continue to monitor threat
patterns and modify the above rule in response to emerging attack patterns as
required.
Figure 22. Remote Code Execution rule for Default Rule Set (DRS) versions
1.0/1.1
Figure 23. Remote Code Execution rule for OWASP ModSecurity Core Rule Set (CRS)
version 3.1
Note: The above protection is also available on Default Rule Set (DRS) version
2.0, and and OWASP ModSecurity Core Rule Set (CRS) version 3.2, which is
available under preview on Azure Front Door Premium and Azure Application
Gateway V2 respectively. Customers using Azure CDN Standard from Microsoft can
also turn on the above protection by enabling DRS 1.0.
More information about Managed Rules and Default Rule Set (DRS) on Web
Application Firewall can be found here. More information about Managed Rules and
OWASP ModSecurity Core Rule Set (CRS) on Web Application Firewall can be found
here.
INDICATORS OF COMPROMISE (IOCS)
Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related
to this attack and will update them with new indicators as they are
discovered: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample
Data/Feeds/Log4j_IOC_List.csv
Microsoft will continue to monitor this dynamic situation and will update this
blog as new threat intelligence and detections/mitigations become available.
REVISION HISTORY
[12/27/2021] New capabilities in threat and vulnerability management including a
new advanced hunting schema and support for Linux, which requires updating the
Microsoft Defender for Linux client; new Microsoft Defender for Containers
solution.
[12/22/2021] Added new protections across Microsoft 365 Defender, including
Microsoft Defender for Office 365.
[12/21/2021] Added a note on testing services and assumed benign activity and
additional guidance to use the Need help? button in the Microsoft 365 Defender
portal.
[12/17/2021] New updates to observed activity, including more information about
limited ransomware attacks and additional payloads; additional updates to
protections from Microsoft 365 Defender and Azure Web Application Firewall
(WAF), and new Microsoft Sentinel queries.
[12/16/2021] New Microsoft Sentinel solution and additional Microsoft Defender
for Endpoint detections.
[12/15/2021] Details about ransomware attacks on non-Microsoft hosted Minecraft
servers, as well as updates to product guidance, including threat and
vulnerability management.
[12/14/2021] New insights about multiple threat actors taking advantage of this
vulnerability, including nation-state actors and access brokers linked to
ransomware.
FILED UNDER:
* Cybersecurity
YOU MAY ALSO LIKE THESE ARTICLES
Featured image for The final report on NOBELIUM’s unprecedented nation-state
attack
December 15, 2021
THE FINAL REPORT ON NOBELIUM’S UNPRECEDENTED NATION-STATE ATTACK
In the final post of a four-part series on the NOBELIUM nation-state attack, we
explore key findings from the after-action report on the attack.
Read more The final report on NOBELIUM’s unprecedented nation-state attack
Featured image for Your guide to mobile digital forensics
December 14, 2021
YOUR GUIDE TO MOBILE DIGITAL FORENSICS
Cellebrite Senior Director of Digital Intelligence Heather Mahalik offers an
inside look at mobile forensics and shares how to think about the function in
your organization.
Read more Your guide to mobile digital forensics
Featured image for Best practices for AI security risk management
December 9, 2021
BEST PRACTICES FOR AI SECURITY RISK MANAGEMENT
Today, we are releasing an AI security risk assessment framework as a step to
empower organizations to reliably audit, track, and improve the security of the
AI systems. In addition, we are providing new updates to Counterfit, our
open-source tool to simplify assessing the security posture of AI systems.
Read more Best practices for AI security risk management
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more Get started with Microsoft Security
Get all the news, updates, and more at
@MSFTSecurity twitter
What's new
* Surface Pro 8
* Surface Laptop Studio
* Surface Pro X
* Surface Go 3
* Surface Duo 2
* Surface Pro 7+
* Windows 11 apps
* HoloLens 2
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Virtual workshops and training
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Office for students
* Office 365 for schools
* Deals for students & parents
* Microsoft Azure in education
Enterprise
* Azure
* AppSource
* Automotive
* Government
* Healthcare
* Manufacturing
* Financial services
* Retail
Developer
* Microsoft Visual Studio
* Windows Dev Center
* Developer Center
* Microsoft developer program
* Channel 9
* Microsoft 365 Dev Center
* Microsoft 365 Developer Program
* Microsoft Garage
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Security
English (United States)
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* About our ads
* © Microsoft 2022