• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
  • T7-24–01–M–NE–CLM

  • Apache Log4J + XMRig Miner

    This attack is a combination of T1-24-01-S-N-CL and T5-24-01-S-E-LM, and two logs are collected: pcap and log.

    It utilizes the Log4J remote code execution vulnerability to download the Miner malware on the attacker's web server, grant execution privileges, and finally execute the Miner malware. Once the miner is executed, it significantly increases resource consumption and sends mining information to the attacker's server.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Windows 11 192.168.56.1 jdk-8u20-windows-x64 90 sec 120 sec
    Victim Ubuntu 20.04.1 192.168.56.103 (Internal)
    10.0.2.15 (External)    		 log4j 2.17.0

  • Installing
  • JDK [dk-8u20-windows-x64.exe] and install
    ```
    python3 -m pip install -r requirements.txt

  • Using
  • You have to run terminal 1 before terminal 2

    [Terminal 1]
    python3 -m http.server 8888

    [Terminal 2]
    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_01_T7_{time}.log # YYmmdd_HHMMSS



  • References
  • [1] NIST [CVE-2021-44228]
    [2] Trendmicro [Apache Log4J(Log4Shell) 취약점이란?
    [3] Ahnlab ASEC [[안내] Apache Log4j 취약점 CVE-2021-44228 영향을 받는 Log4j Core]
    [4] Paloalto [Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)
    [5] SK쉴더스 [[Research & Technique] Log4Shell 취약점(CVE-2021-44228)]
    [6] XMRig

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024 01
    • T1-24–01–S–N–CL
    • T2-24–01–S–N–CL
    • T3-24–01–S–N–CL
    • T4-24–01–S–E–M
    • T5-24–01–S–E–LM
    • T6-24–01–S–E–FH
    • T7-24–01–M–NE–CLM
    • T8-24–01–M–NE–CFHL
    • T9-24–01–M–NE–CLM
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.