Preview Mode Links will not work in preview mode

Dec 23, 2021



Overview of Log4j vuln (as of 16 December 2021)

Why is it a big deal? (impact/criticality/risk)

Talk about patching vs. mitigation

why wasn’t this given the same visibility in 2009? Because it’s Oracle or Java?

Good callout is building slides to brief org leadership, detections, and other educational tools.

Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue)

Are there other technologies like log4j that prop up the entire world, and we just don’t know?

Egress traffic (discussed at length on twitter, what problems it solve?)

Latest: - apache removed JDNI functionality <- great aggregation


Lots of discussion about “SBOM solving the issue”. @K8em0 weighs in -list of advisories for log4j

Mitigation: (holy hell, 2009?!?)

2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: That's when the JDK was fully protected, but other implementations remained vulnerable


You can use a point & click canarytoken from to help test for the #log4j  / #Log4Shell issue.

1) visit;

2) choose the Log4shell token;

3) enter the email address you wish to be notified at;

4) copy/use the returned string...

Discussed in 2016 at Blackhat:

The #Log4Shell attack vector was known since 2016…

Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread.


When dealing with attacks like this you should remember the acronym IMMA. 

I = Isolate 

M = Minimize 

M = Monitor 

A = Active Defense

“SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet.

The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations!

To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS).

This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications.

If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind.”