BSidesCharm 2022 - Log4j From The Trenches - Max Thauer

all right everyone i think we're gonna get started here um so good afternoon everyone my name is max tower i'm a senior consultant at mandiant and today we're going to be talking about log4j uh specifically some incidents that you know we've responded to specifically on vmware horizon servers so kind of our agenda for today if you like you know the obligatory spiel of who i am uh why we're maybe here i will talk a little bit about how it works you know specifically like uh an overview of kind of the exploit chain and the cve then we'll kind of dive into three different scenarios number one looking at uh persistent access via web shell number

two looking at a cobalt strike beacon and then number three looking at a crypto miner and kind of with each of those scenarios talk about some forensic artifacts that might be useful to basically you know identify this activity as it happens and then finally we'll jump into some detection and prevention uh basically talking through some you know pre you know commercially available uh you know edr tools things like that uh and you know ways you could basically identify this activity in those tools so kind of obligatory disclaimer um you know this the case studies that i'm going to present here uh you know are drawn from our experiences and activities working for a variety of

customers they don't represent our work on you know any you know one specific customer um i will say in particular you know each of these instances that i'm going to cover uh kind of cross multiple verticals and things like that so it's not necessarily you know specific to you know one you know distinct group or vertical and with that as well all the samples ips everything are available on virustotal so there's nothing like you know really proprietary uh here per se if you wanted to go you know kind of study this yourself it's widely available all right so a little bit of a background about myself like i said i work at mandiant in their

ir group i basically do ir incident management digital forensics my january of this year was consumed by log4j as you could probably imagine and there's my email and twitter handle if you're interested in getting in contact with me all right so as far as the criticality goes can anybody name you know maybe besides vmware horizon which was mentioned in the abstract at least you know one other product that uses log4j sorry yep it's an apache product but uh but basically you know i would say aside from uh you know you know specific apache products uh you know there are quite a few commercial products they use you know log4j under the hood primarily because you know they're written in java

it just kind of goes to show log4j is actually pretty widely used in a lot of stuff so as you can probably imagine the fallout is pretty significant all right so to kind of talk through you know the overview of it um you know we it was assigned cve 2021-44832 kind of dubbed you know log4j log4shell but basically back in november of 2021 an alibaba researcher you know identified the bug basically reported it to apache around december 6th you know there's basically i guess the first patch per se we start seeing the proof of concept exploit code published on places like github on december 9th and 10th then uh you know on december 13th apache puts out a second patch as some

of you probably know there's a little bit of a rough uh you know i guess patch release for apache but it's kind of a hard thing you know to basically correct this kind of problem so you know i do give them you know some credit per se so kind of as a log4j you know at a high level um it's basically a logging library so you know people ask me you know why would somebody you know want to use log4j why do products have to use log4j uh you know and basically the uh the analogy i give is you know why reinvent the wheel right if you have you know something that basically allows you to you know write

logs things like that uh you know when you're developing java programs why you know reinvent the wheel when you just have something that works great right i do you know some python scripting and things like that on the side and you know anytime i can find a great library that basically you know solves exactly what i'm trying to do so you can basically just you know script it up in four lines it's super right so again you know don't reinvent the wheel if you don't have to all right so to talk about the exploit chain a little bit um basically the way it works is you have an incoming request you know to a victim web server right so

something that's running you know directly on the internet basically in that request you have this jndi exploit string and you know kind of cascading down from there there's going to be some instructions for basically a stage two of the payload right so jndi stands for java naming directory interface basically it's a way uh you know to provide apis uh you know to whatever's running uh you know within java here right so in particular 4j uh there are some instances where it could pull a payload via dns but i think notoriously it has used ldap so tcp port 389 but effectively as the malicious request is sent you have this jndi string you know calling now basically making an

ldap query uh you know calling for you know what's basically a malicious payload uh you know from a remote host so log4j it sees this jndi string pulls that out or makes that ldap query and basically pulls the payload in the request you know the server that's hosting that payload would respond with the information uh you know containing obliges java class so in particular this payload you know kind of file right here that would be hosted on the malicious host and then basically you know the victim web server would download that you know malicious java class and execute it right so to kind of rehash it multi-stage exploit you basically have you know the inbound request to you know

the vulnerable web server with that jndi string in that request it's calling for a stage two payload sometimes that payload is hosted on the same server that's invoking the original request but not always but you know generally if you could see uh you know the jndi string calling back to the same originating ip just maybe at a different uri and then basically once that payload is pulled you know in that stage two it's basically executed on the victim hosts which would give the threat actor something like a reverse shell or you know that kind of you know post exploitation so uh i did not go uh the extra mile to basically make my own graphic here

i will say though i came across this one that's made basically by the swiss cert i think it really illustrates you know the kind of attack life cycle of vlog 4j pretty well um you know and basically some ways you can uh you know i guess you know block it or you know prevent it per se so in particular um i'd like to you know basically start with number one you know you can always you know have something like a web application firewall in front of the application uh which will you know basically look for uh you know strings uh in those requests that are coming in uh and you know if it has for

example like that jndi string with you know a server and then you know basically the path to the exploit you can basically block that there's some other things you could do as well obviously you know i think in a lot of commercial software products it's pretty much you know impossible to say well i just need to like turn off log 4j so for example like let's say if you're running a vmware horizon server i don't really think it's feasible to you know basically go ahead and you know do some of these other things that are suggested here but nonetheless you know these are some you know steps you could take uh you know if you were like a software

developer for say you know kind of rolling your own code or something like that but you know just some other quick things you know you could disable log4j all together use a different library patch it which is you know probably i would say the most logical thing to do disable jndi lookups again you know if you're not the author of the program it's not exactly feasible disabled remote code bases again if you're not the author of the program not exactly feasible all right so to kind of step back a little bit who is familiar with vmware horizon has anybody used it before i'd like to see that yeah so basically it's uh you know vdi

infrastructure or you know like remote application infrastructure for you know let's say like remote workers so in you know the you know current time of you know pandemic and things like that um you know obviously i t departments have to make applications available to remote users you can do a lot of things right you can have a vpn you can you know give users rdp desktops things like that or you could set up something like a vmware horizon server or citrix or something like that right so you know instead of you know giving somebody maybe a full desktop you can just push you know an application to them uh specifically right so let's say for example uh you

know i just wanted to you know give a user access to like calc.exe you can basically do that with vmware horizon and basically just you know launch a little window once they connect and you know give them access to that small application i don't really know why that would be super useful but you can but effectively under the hood vmware horizon runs in apache tomcat web server and basically that process that is running the tomcat web server is this ws tomcatservice.exe right and i think this is kind of critical because as you see in kind of some of the next slides here this is basically the you know web server process that will you know when exploited spawn

other malicious processes all right so for scenario number one so around december 23rd of last year we observed some string insertion on this absgworker.js file you can basically see the path there but basically uh what this file is is is it is the vmware blast secure gateway service right so effectively it's a pretty you know lightweight node.js app uh that you know relies on this file to function so you know it's you know effectively running you know i guess the web component of vmware horizon right so basically what we saw is uh you have that uh you know that ws tomcatservice.exe process spawning a bullish's powershell process and in the you know malicious powerful process what

you can actually see is some sort of uh you know string insertion uh you know basically so this absgworker.js file gets uploaded or updated sorry so if you actually look at you know the upper uh right box here you can basically see uh it's kind of a baby web shell if you will basically saying you know if the request includes you know this long string right here uh enter a try uh you know reply with an http 200 and then basically spawn a child process of you know some other data that is also in the request and otherwise uh return to 400 you know basically stating that it didn't work right so if you actually look at uh you

know the difference between the two files on the left you have basically the updated file you know versus on the right is kind of the uh you know more vanilla version that vmware would ship so what's actually kind of interesting is in a lot of the cases that we investigated you would actually see you know multiple i guess string insertions of the same uh you know several lines of code so i think i actually had like one system in particular that we looked at where it was inserted like eight different times so you could kind of hypothesize that the exploit was actually run eight unique times against the host but basically uh you know you can kind

of see side by side a comparison of the two so to just kind of talk through uh you know some forensic artifacts on this one in particular i you know generally like to start in windows event logs anytime i'm looking uh you know at a disk image or something like that um you know in particular for this one uh you know windows powershell logs event d 400 or 600 i mean generally always helpful another good one you know specifically i think for this incident in particular if you look at the system event logs specifically a 7036 event which is a service starting or stopping you can basically see kind of in the you know trailing end

here uh you know you have the service that will be restarted right so you know if you think about as you update uh you know this apsg worker.js file you'll basically have to re-initialize it and load it in to the program for the web shell to work so you know basically by restarting that service um you know the threat actor is able to do that so you know basically you could look for a you know the service starting or stopping um obviously some other stuff you could look for a process creation if you have uh you know that level auditing turned on and then you could also look at something like powershell transcripts uh which would basically show

uh you know the i guess underlying powershell command that's being run so kind of an interesting one as well um in our you know disk analysis you know we basically would take something like you know forensic image of the system uh and you could drop it into whatever you know kind of forensic suite you like to use um but you can obviously see the you know this uh js file being modified uh and interestingly enough uh you know i see that the files modified as i'm kind of timelining things and you say okay and you go you know look for the hash on virustotal and it comes back completely clean so you know i think it's interesting to

note you know people kind of trust virustotal as being this you know you know perfect way to you know determine if something's malware but it's really only as good as uh you know the vendor signatures are but you can actually see uh later in february i did have 23 detections so you know just kind of naturally with time things will become updated and it does gain some detections all right so for scenario number two uh basically this one in particular was a cobalt strike beacon so uh as you can see here you basically have powershell.exe running some encoded power shell so basically you know we dive in and try to figure out how to decode it

so enter cyber chef there's actually a pretty good talk about cyber chef yesterday i believe um so you know definitely an awesome tool uh but for those that aren't familiar with it uh it's basically a way you can encode or you know decode any sort of input you put into the tool uh so basically let's say if you had you know strings files things like that uh you know you can do a variety of operations on you know whatever that data stream is and then basically get something out on the other end so in particular you know we're just going to go and kind of take this base64 encoded blob and drop it into cyber chef right so we basically load

the base64 recipe and then we decode it and we basically get you know what is some human readable text right so we can basically see what it's doing here it's running in vogue expression and it's pulling a payload from this you know 185 ip right here of course it's a 185 ip it just seems like any time i run into one in you know forensic analysis it's generally always bad but in particular uh you know it's you know basically pulling a payload from uh you know this ip on port 88d and looking for this drv file right so let's say for example if we actually go and fetch that drv file you can see you know kind of the hash

here but in particular the file you know has seemingly a lot of comments in it which is kind of weird i guess for powershell doesn't really do anything it just adds bloat to it um but we're basically interested in you know decoding any uh you know other parts of the file as well so in particular here you can see there's another snippet which basically states that there's a base64 encoded string so we're going to basically take that you know part of the snippet and then we're going to kind of work on decoding that some more all right so we copy paste it pop it back into cyber chef you know decode it from base64 but it just kind of appears

to be a bunch of you know mumbo jumbo text doesn't really mean anything to the human eye right um but i think uh you know specifically as it pertains to cobalt strike you kind of have to be a little bit familiar with how to uh you know decode payloads and things like that but a really common uh you know obfuscation technique that it uses is basically you know xoring the payload uh with decimal key 35. so if you actually take the xor operation within cyber chef you can actually you know just put in key 35 uh select decimal and you're actually starting to get some you know more human readable text so uh you know stepping back for a moment

if you wanted to just search you know that resulting payload you could actually add another operation to cyber chef basically get your md5 go search the md5 and virus total and sure enough you have you know something that looks like shell code possibly cobalt strike with you know numerous detections all good um otherwise what you could do is kind of erase that md5 operation and then you could go ahead and just save the file you know by you know the save function in cyber chef and basically we could save it to something like beacon.dat right so then you know we have that uh i guess you know shell code payload downloaded um you could drop it into you

know numerous kind of shellcode debugging tools but in particular this one you know we can see uh that it will basically you know kind of pull out that you know c2ip uh you know from the payload itself basically uh for those that remember it's the same ip that delivered the payload initially so you can do a number of things with it obviously you know you can use some sort of you know command line tool on your own system you can submit it probably to a sandbox and it will tell you exactly what it does advantage you know we have sandboxes for everything so you know basically tell you uh you know it's a cobalt strike http

stager i'll give you the user agent the ip all that but if you actually look at you know just kind of the uh you know raw decoded part verbatim it's kind of interesting is obviously you have number one the user agent with number two you also have what's known as an icar string for those that aren't familiar icar is a way you can test if your antivirus is working right so if you just you know go on the internet and google i car string copy paste it and put it in like a text file on your desktop or whatever and save it it will set off your ap right so it's basically just a very you know

common uh you know easy way to test it and make sure things are working and then finally you have also your uh c2 here but basically what's kind of interesting about this sample in particular uh the icar string is packaged into trial versions of cobalt strike so the threat actor that actually went out and deployed this if they use a trial version of cobalt strike and they probably didn't know that this was the case so it's actually kind of silly in some regards um it just goes to show you kind of like your varying levels of sophistication with threat actors all right so to look at some uh you know additional artifacts kind of you know

aside from decoding uh you know that payload that's pulled by a power shell you know obviously we found the original uh you know evidence of exploitation you know kind of in those uh you know powershell event ids 400 600 but in particular we also had at least one customer that had uh sysmon enabled on you know the actual victim machine so specifically if we look at event id3 you can see you know as the first event you have network connection to the 185 ip on port 8080 which makes sense because this is basically the you know first part uh you know where the payload is being pulled you know that drv file hosted on port

8080 and then if as you know time goes on basically like a one or two seconds later uh you have you know another check into that 185 ip uh but on port 80 so basically uh you know this is the payload being pulled and then the secondary check check-in would be the actual c2 communication oops sorry all right so for scenario number three um so this one in particular was a cryptocurrency minor um you know i would say pretty clear as day basically what you can do is uh you have you know uh powershell you know invoke expression basically pulling this you know ps1 file um from this you know adip here so you know powershell file

it's you know pretty easy to you know read with your eyes you don't have to like decode it or anything per se

so in particular this one um you can see a few variables are set at the beginning you know specifically we have uh you know that same adip as mentioned in the initial poll you know set as the variable cc like you know command and control or something like that um they have a couple other uh you know variables being set looks like you know some things uh you know for some other file paths um it looks like you know turning off the firewall things like that but effectively you know what it's going to do is basically enumerate running processes on the machine and if it identifies processes that kind of match a specific name it will basically stop those processes

and a reason why you might want to do that for example if you wanted to run a cryptocurrency miner you want it to have ample cpu resources so it can actually mine the cryptocurrency and make you money so basically by stopping uh you know specific processes that might you know match already running miners or you know other high cpu utilization processes uh it can basically achieve its goal and then it will basically uh you know look through you know some specific uh i guess you know established connections so basically if it will run nedstad hyphen ano and basically find uh you know tcp connections and then basically iterate all over all of those uh and specifically look for uh what's

typically a uh you know cryptocurrency mining uh pool uh you know destination port so something like three three three three four four four four etcetera but basically you can see uh you know if it's going to match on any of those destination ports it will basically stop the process um so again you know to you know give itself more you know resources and things like that for mining all right so from then on out it'll basically you know go ahead and pull some additional files and then basically you know as those files are pulled things like that it will start the new you know i guess mining process per se so some other kind of

i would say pretty good indicators that it's a crypto miner you basically have the donate level you have the various you know mining pool addresses so you have a domain a couple ips and then you basically have kind of this u flag here and this is basically i guess you know like the miners id or uh you know like the miner's wallet address basically as you join a you know cryptocurrency mining pool uh the pool has to know how to you know pay you out as a miner right so this is basically your you know string or address that you're identifying as you know when you check into the pool so that you get paid out accordingly then

obviously uh you know hide it from the user so the user doesn't see it and then finally i will add some persistence mechanisms so specifically creating a scheduled task add registry run keys to basically you know make sure the mining process would start upon reboot all right so getting into some uh you know additional details i've kind of talked you know at a high level about uh you know some you know generic ways we can identify uh you know each of these in windows event logs but say in general you know there's a lot of you know fun things you can find in event logs when you uh you know do forensic analysis um generally i

kind of you know focus around using a couple different software suites in order to actually read the event logs uh but i guess just natively you can use obviously powershell or you know like you know windows event viewer to kind of you know click through blogs if you would like i'm personally a pretty big fan of event log explorer so it kind of requires you to know a little bit about you know what logs and what event ids you're looking for but it gives you actually a pretty good way to filter and kind of you know do i guess you know event log analysis at scale another kind of cool one as well uh there's a tool called deep blue cli i

think it's brought by sans and one of my co-workers made me aware of it just maybe like two or three months ago but it'll basically you know you can kind of throw like the kitchen sink at it uh when you're doing event log analysis and it'll actually show you like anomalies and things like that in the windows event logs which is kind of cool but basically you know there's some common windows event ids you might want to focus on you know specifically something like a security 4624 would be for logon 4625 would be for failed logon 46.88 for a process starting in 1102 for security event log being cleared as far as system goes uh 1736

which we already talked about a little bit but this one would be for you know service starters starting or stopping and then also something like a 70 45 which would be for a service installation right so if you had a piece of malware that you know you wanted to install as a service you know so that it has persistence um you know it would basically be recorded in the windows event locks obviously you know powershell is good as well you can basically you know look for something like a 400 or 600 but that's going to basically show you kind of the you know uh script block logging and you know the actual command line that's being run

and then if you also have sysmon enabled on the machine i won't go into the details of each of these but can basically give you some additional uh you know useful info if you do have sysmon installed so you can see right here in particular there's just a couple examples of you know some commands you can run to basically find you know what you might be looking for uh you know just from the windows uh you know event log commandlets that are built into powershell all right so as far as uh you know detecting this in you know kind of commercially available tools in windows defender atp uh it's pretty cool actually you know can kind of just

you know detect it out of the box for you so here you have an example of you know log4j uh you know exploitation being detected um but if you wanted to for example like go in and actually hunt for you know suspicious you know process telemetry and things like that basically what you can do is look for that ws tomcatservice.exe and basically look at all the child processes that it's spawning so in particular vmware horizon it will use repadmin.exe to basically uh replicate data between itself and other vmware horizon servers so if you like cluster them or whatever but in particular you know you can filter out that executable and then just kind of watch for uh other services that

are other processes that are spawned so for example if you had something like a command.exe or a powershell.exe being spawned out of ws tomcat service you probably want to look into that and additionally you could look at something like you know powershell.exe uh basically uh you know having something like the vm blast sg uh in the process command line which would basically you know indicate that powershell is restarting that vm blast service all right so for crowdstrike falcon um again you know it's you know pretty i would say you know repetitive these next couple slides but this kind of goes to show you know you will have that ws tomcatservice.exe basically spawning you know something

like a malicious powershell process and you can basically see here you know like most edr tools should you know it will kind of detect that that is being done basically terminate the process and carbon black kind of cool you can you know search for the cve uh and identify you know basically instances where it might be uh in use um but again you know just kind of re-harping on that same parent-to-child process relationship you have the ws tomcatservice.exe you know spawning a powershell process you can see kind of in the details pane here you do have an encoded command um but uh you know good enough for us uh you know the process uh you know is basically being denied uh

so you know the actual malicious powershell process is terminated uh you know specifically in fire ihx um you know it will detect kind of out of the box you know suspicious powershell methodology so basically you know looking for encoded powershell and things like that but again to just kind of you know rehash it you have that ws tomcat service.exe basically launching powershell and then you can see as a command line argument you basically have that encoded command which will basically you know go and fetch that stage to payload so kind of another cool one that i don't didn't have a lot of experience with but one of my customers you know had it and made it available to

us um so basically uh dell secure works uh they have kind of this new tagius xdr um i think you know basically you take all the red cloak agents and you basically feed the data in uh to this now but kind of cool it actually detailed uh you know a lot of the incidents uh and i guess you know exploitation campaigns uh you know that we covered uh you know in the talk here um but you can actually see here what was kind of cool about this one is it actually captured some i guess follow-up activity uh with regards to the web shell that was placed so in particular you can see uh very similar to the first

scenario we talked about uh you know you have uh you know kind of that you know web shell string insertion and then you know basically the restarting of that vm blast sg service uh then basically you can see about one day later you actually have somebody coming back and then running a command uh exe basically you know running the who am i command so kind of cool actually that it will uh you know track all the subsequent process executions that come out of that web shell and then you can basically see you know it has some other detections for uh you know like the 185 ip which is the cobalt strike ip we also talked

about all right so as far as prevention goes um there are a couple of ways you can you know try to block this or you know hope to block this say you know number one you just have to kind of stay up to date with patching and things like that um you know i would say in in an instance like log 4j you know you're not always going to have you know the patches that are you know maybe readily available uh you know as exploit code drops so you know there's not a ton you can do about that but you know i guess you know kind of stay vigilant and kind of be aware when you know

exploits come out you know for you know software you know products that you might kind of depend on say also you know vulnerability scanning i really you know try to emphasize this to all my customers you know you kind of have to really really know your perimeter you know we all you know for example you know we'll run you know services to make them available to our users and things like that but if you don't actually you know understand that you know you have dependencies and vulnerabilities you know and you're basically running you know those items directly on the internet um you know it's going to get exploited you know if there is you know publicly available

exploit code for it and it's just kind of a matter of time until you enter a scenario like this so again you know know your perimeter you know there's a lot of tools that will kind of help you map your uh you know attack surface you know specifically for what you have on the internet um so if anybody wants to talk about those you know after the uh talk you know i'm happy to chat a little bit more about those um but some other things you can do uh kind of like was that what was referenced in the swiss government's uh sir uh you know you can run it at web application firewall so it's something

like an imperva cloudflare akamai i would say egress filtering is also a pretty good one so i dealt with one customer in particular uh basically they had an instance where stage one of the exploit was running so we could obviously see you know the you know inbound request uh you know being sent to the vmware horizon server however uh the stage two would i guess you know never complete uh or you know the server would never you know effectively be exploited uh you know specifically because they were filtering kind of you know for outbound connections on tcp 389 so it's actually kind of cool you can have the exploit be delivered but since it has to go back and basically you know

pick up you know that you know i guess you know second stage there's not actually a way for it to do that since they're doing egress filtering which was actually kind of cool because we basically didn't have an incident so i always love to you know kind of see that so again you know what for some outbound connections to you know seemingly suspicious high ps and domains um you know namely uh you know i find a lot of uh you know threat actors will use something like a canary token to just test uh you know if there is uh you know something vulnerable so basically you know looking for you know something like ens requests to a

canary token domain coming from a vmware horizon server we're also looking for you know basically outbound connections on tcp 389 and for those that aren't familiar with canary tokens it's basically uh kind of like a you know like a mini honeypot if you will so let's say for example kind of in the screenshot here if you had you know like if you wanted to set up like a canary aws key what you can do is kind of generate one and then just basically be notified anytime that key is used so i mean you know you can have it like email you you can have it uh you know send a request to a web hook a lot of different ways

but you know kind of a cool uh way to you know detect uh you know if something is being used they shouldn't be some other things uh you know you can obviously kind of depend on your edr and i would say you know if you're going to run services on the internet it's important to have you know some way to kind of monitor process telemetry so that you can basically identify when something like this happens so you know most adr products uh you know can enable you to do that then alternatively you could disable something like jndi that's referenced here in uh you know the swiss certs uh you know great graphic um that being said though you know if it's a

commercial software product they probably won't give you the uh you know ability to kind of do that you know out the box per se so you know i think in that regard you're kind of dependent you know specifically on the vendor and you might want to you know kind of revert back to number one blocking uh with the web application firewall or obviously patching it as well

and then finally some thread intel items i think you know a lot of edr products and next generation firewall products will kind of bundle uh you know detections for this kind of activity directly into the product so if you think about you know a lot of the organizations that make these products they have you know pretty big research teams and groups that will basically you know track this activity so uh you know i think you will get some good coverage there um i personally like to you know read twitter a lot i'm not really a poster i'm into that but um you know i definitely uh you know try to absorb as much as i can there

what's kind of cool about each one of these incidents in particular if you just go google you know the eyepiece you'll find twitter threads that are kind of talking about uh this activity as it's happening right so you know it's not really anything uh super special but it kind of goes to show that you know uh you know if security researchers can kind of find this activity as it's happening and kind of you know broadcast it to the whole internet uh you know we can kind of you know collectively you know fight back against the attackers which i think is great um you know shameless plug for abandoning advantage as security professionals uh it kind of

operates on a freemium model so if you all any of you want accounts you can you know go and register for that get some information from there and then finally you know just some ioc links um you know for kind of pretty common feeds as it pertains to log 4j so with that does anybody have any questions um anything at all

[Music]

yeah so i would say in uh these instances in particular um the attribution uh you know they were basically all attributed to be new groups um so i'm not sure if you're familiar kind of with the way that manny attracts threat actors but we basically take new groups and we you know specify them as an unc cluster and then as we have evidence to basically link uh you know varying groups you know we kind of merge them together but for all these in particular they were i guess you know individual you know new unc groups per se sure

yep have worked previously with a program where jay was present but not being adequately used by the software um

uh like the web show file in particular or yes yeah so i mean if you think about that that's basically using you know log 4j to you know put kind of like a secondary backdoor on the system right so let's say you know from then on out it like you know the matter of you know uh i guess executing commands on the system as the threat actor you're not really depending on log4j anymore because you have that you know kind of you know light piece of malware i should say so like if you were to i guess have log4j turned off from the get-go you know the exploit chain obviously wouldn't work um but you know once i guess the piece of

malware is there a cobalt strike beacon is there you know it's you know effectively game over and you have the thread can have access to the system

right so like if for example that's correct if you didn't have it i guess enabled in the first place you wouldn't be able to exploit it you know to basically have the downstream effect of something like cobalt striker or web shell so you know you wouldn't basically be facing the problem thank you sure

anyone else super well thank you and yeah if you anybody wants to chat after you know happy to talk about anything offline too but thanks everyone