Skip to main content

Detecting Shellshock with SIEM Solutions

October 07, 2014

At the end of September, a serious vulnerability (CVE-2014-6271 and CVE-2014-7169) came to light affecting Linux/Unix and Apple OS X. The seriousness of the Bash Shellshock vulnerability is that it allows unauthenticated, arbitrary code execution remotely. There is strong potential the exploit activity will become more damaging. There are reports of attackers using the vulnerable systems to install malware droppers, reverse shells, backdoors, and preparing for DDoS attacks. 

While much has been discussed on this key vulnerability, there is a lack of information on how to use security information and event management (SIEM) in detection and reporting initiatives.

Detection Using Your SIEM

In this brief video, I demonstrate how to exploit the vulnerability. Splunk Enterprise is used to set-up a Shellshock reporting dashboard to give your organization complete situational awareness. The reports can be emailed to your Unix team daily or posted on the video wall in your SOC. By installing two scripts on your Linux forwarders, you will see which systems are still in need of the patch, as well as the commands the attackers are attempting on your Apache web servers. 

 

 

While I utilized Splunk Enterprise for the demonstration, other SIEM engines will also work, although some of the set-up details will vary.


    Derek Arnold

By: Derek Arnold

Principal Consultant

See More

Related Blogs

May 24, 2018

Transforming Logs and Alerts into Actionable Intelligence with UEBA Functionality

For information security practitioners, the stored value in security data can reduce both costs and risk. The progression of the treatment of log data...

See Details

March 15, 2018

Pass-the-Hash

Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

January 17, 2018

The Aftermath of Meltdown and Spectre: Now What?

The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many withi...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.