Blog
/
Network
/
December 14, 2021

Log4Shell Vulnerability Detection & Response With Darktrace

Learn how Darktrace's AI detects and responds to Log4Shell attacks. Explore real-world examples and see how Darktrace identified and mitigated cyber threats.
Written by
Max Heinemeyer
Global Field CISO
Written by
Justin Fier
SVP, Red Team Operations
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Written by
Justin Fier
SVP, Red Team Operations
Default blog image
14
Dec 2021

In this blog, we’ll take a look at the Log4Shell vulnerability and provide real-world examples of how Darktrace detects and responds to attacks attempting to leverage Log4Shell in the wild.

Log4Shell is now the well-known name for CVE-2021-44228 – a severity 10 zero-day exploiting a well-known Java logging utility known as Log4j. Vulnerabilities are discovered daily, and some are more severe than others, but the fact that this open source utility is nested into nearly everything, including the Mars Ingenuity drone, makes this that much more menacing. Details and further updates about Log4Shell are still emerging at the publication date of this blog.

Typically, zero-days with the power to reach this many systems are held close to the chest and only used by nation states for high value targets or operations. This one, however, was first discovered being used against Minecraft gaming servers, shared in chat amongst gamers.

While all steps should be taken to deploy mitigations to the Log4Shell vulnerability, these can take time. As evidenced here, behavioral detection can be used to look for signs of post-exploitation activity such as scanning, coin mining, lateral movement, and other activities.

Darktrace initially detected the Log4Shell vulnerability targeting one of our customers’ Internet-facing servers, as you will see in detail in an actual anonymized threat investigation below. This was highlighted and reported using Cyber AI Analyst, unpacked here by our SOC team. Please take note that this was using pre-existing algorithms without retraining classifiers or adjusting response mechanisms in reaction to Log4Shell cyber-attacks.

How Log4Shell works

The vulnerability works by taking advantage of improper input validation by the Java Naming and Directory Interface (JNDI). A command comes in from an HTTP user-agent, encrypted HTTPS connection, or even a chat room message, and the JNDI sends that to the target system in which it gets executed. Most libraries and applications have checks and protections in place to prevent this from happening, but as seen here, they get missed at times.

Various threat actors have started to leverage the vulnerability in attacks, ranging from indiscriminate crypto-mining campaigns to targeted, more sophisticated attacks.

Real-world example 1: Log4Shell exploited on CVE ID release date

Darktrace saw this first example on December 10, the same day the CVE ID was released. We often see publicly documented vulnerabilities being weaponized within days by threat actors. This attack hit an Internet-facing device in an organization’s demilitarized zone (DMZ). Darktrace had automatically classified the server as an Internet-facing device based on its behavior.

The organization had deployed Darktrace in the on-prem network as one of many coverage areas that include cloud, email and SaaS. In this deployment, Darktrace had good visibility of the DMZ traffic. Antigena was not active in this environment, and Darktrace was in detection-mode only. Despite this fact, the client in question was able to identify and remediate this incident within hours of the initial alert. The attack was automated and had the goal of deploying a crypto-miner known as Kinsing.

In this attack, the attacker made it harder to detect the compromise by encrypting the initial command injection using HTTPS over the more common HTTP seen in the wild. Despite this method being able to bypass traditional rules and signature-based systems Darktrace was able to spot multiple unusual behaviors seconds after the initial connection.

Initial compromise details

Through peer analysis Darktrace had previously learned what this specific DMZ device and its peer group normally do in the environment. During the initial exploitation, Darktrace detected various subtle anomalies that taken together made the attack obvious.

  1. 15:45:32 Inbound HTTPS connection to DMZ server from rare Russian IP — 45.155.205[.]233;
  2. 15:45:38 DMZ server makes new outbound connection to the same rare Russian IP using two new user agents: Java user agent and curl over a port that is unusual to serve HTTP compared to previous behavior;
  3. 15:45:39 DMZ server uses an HTTP connection with another new curl user agent (‘curl/7.47.0’) to the same Russian IP. The URI contains reconnaissance information from the DMZ server.

All this activity was detected not because Darktrace had seen it before, but because it strongly deviated from the regular ‘pattern of life’ for this and similar servers in this specific organization.

This server never reached out to rare IP addresses on the Internet, using user agents it never used before, over protocol and port combinations it never uses. Every point-in-time anomaly itself may have presented slightly unusual behavior – but taken together and analyzed in the context of this particular device and environment, the detections clearly tell a bigger story of an ongoing cyber-attack.

Darktrace detected this activity with various models, for example:

  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous Connection / Callback on Web Facing Device

Further tooling and crypto-miner download

Less than 90 minutes after the initial compromise, the infected server started downloading malicious scripts and executables from a rare Ukrainian IP 80.71.158[.]12.

The following payloads were subsequently downloaded from the Ukrainian IP in order:

  • hXXp://80.71.158[.]12//lh.sh
  • hXXp://80.71.158[.]12/Expl[REDACTED].class
  • hXXp://80.71.158[.]12/kinsing
  • hXXp://80.71.158[.]12//libsystem.so
  • hXXp://80.71.158[.]12/Expl[REDACTED].class

Using no threat intelligence or detections based on static indicators of compromise (IoC) such as IPs, domain names or file hashes, Darktrace detected this next step in the attack in real time.

The DMZ server in question never communicated with this Ukrainian IP address in the past over these uncommon ports. It is also highly unusual for this device and its peers to download scripts or executable files from this type of external destination, in this fashion. Shortly after these downloads, the DMZ server started to conduct crypto-mining.

Darktrace detected this activity with various models, for example:

  • Anomalous File / Script from Rare External Location
  • Anomalous File / Internet Facing System File Download
  • Device / Internet Facing System with High Priority Alert

Surfacing the Log4Shell incident immediately

In addition to Darktrace detecting each individual step of this attack in real time, Darktrace Cyber AI Analyst also surfaced the overarching security incident, containing a cohesive narrative for the overall attack, as the most high-priority incident within a week’s worth of incidents and alerts in Darktrace. This means that this incident was the most obvious and immediate item highlighted to human security teams as it unfolded. Darktrace’s Cyber AI Analyst found each stage of this incident and asked the very questions you would expect of your human SOC analysts. From the natural language report generated by the Cyber AI Analyst, a summary of each stage of the incident followed by the vital data points human analysts need, is presented in an easy to digest format. Each tab signifies a different part of this incident outlining the actual steps taken during each investigative process.

The result of this is no sifting through low-level alerts, no need to triage point-in-time detections, no putting the detections into a bigger incident context, no need to write a report. All of this was automatically completed by the AI Analyst saving human teams valuable time.

The below incident report was automatically created and could be downloaded as a PDF in various languages.

Figure 1: Darktrace’s Cyber AI Analyst surfaces multiple stages of the attack and explains its investigation process

Real-world example 2: Responding to a different attack using Log4Shell

On December 12, another organization’s Internet-facing server was initially compromised via Log4Shell. While the details of the compromise are different – other IoCs are involved – Darktrace detected and surfaced the attack similarly to the first example.

Interestingly, this organization had Darktrace Antigena in autonomous mode on their server, meaning the AI can take autonomous actions to respond to ongoing cyber-attacks. These responses can be delivered via a variety of mechanisms, for instance, API interactions with firewalls, other security tools, or native responses issued by Darktrace.

In this attack the rare external IP 164.52.212[.]196 was used for command and control (C2) communication and malware delivery, using HTTP over port 88, which was highly unusual for this device, peer group and organization.

Antigena reacted in real time in this organization, based on the specific context of the attack, without any human in the loop. Antigena interacted with the organization’s firewall in this case to block any connections to or from the malicious IP address – in this case 164.52.212[.]196 – over port 88 for 2 hours with the option of escalating the block and duration if the attack appears to persist. This is seen in the illustration below:

Figure 2: Antigena’s response

Here comes the trick: thanks to Self-Learning AI, Darktrace knows exactly what the Internet-facing server usually does and does not do, down to each individual data point. Based on the various anomalies, Darktrace is certain that this represents a major cyber-attack.

Antigena now steps in and enforces the regular pattern of life for this server in the DMZ. This means the server can continue doing whatever it normally does – but all the highly anomalous actions are interrupted as they occur in real time, such as speaking to a rare external IP over port 88 serving HTTP to download executables.

Of course the human can change or lift the block at any given time. Antigena can also be configured to be in human confirmation mode, having the human in the loop at certain times during the day (e.g. office hours) or at all times, depending on an organization’s needs and requirements.

Conclusion

This blog illustrates further aspects of cyber-attacks leveraging the Log4Shell vulnerability. It also demonstrates how Darktrace detects and responds to zero-day attacks if Darktrace has visibility of the attacked entities.

While Log4Shell is dominating the IT and security news, similar vulnerabilities have surfaced in the past and will appear in the future. We’ve spoken about our approach to detecting and responding to similar vulnerabilities and surrounding cyber-attacks before, for instance:

As always, companies should aim for a defense-in-depth strategy combining preventative security controls with detection and response mechanisms, as well as strong patch management.

Thanks to Brianna Leddy (Darktrace’s Director of Analysis) for her insights on the above threat find.

Written by
Max Heinemeyer
Global Field CISO
Written by
Justin Fier
SVP, Red Team Operations
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Written by
Justin Fier
SVP, Red Team Operations

Hola VPN Abuse: From Proxy Traffic to Malware and Cryptomining

Network
June 15, 2026
Min Kim
Cyber Security Analyst
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
May 26, 2026
4
How to Evaluate AI Vendors: 5 Key categories for AI Adoption
May 27, 2026
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Network
June 15, 2026

Hola VPN Abuse: From Proxy Traffic to Malware and Cryptomining

Darktrace’s analysis of Hola VPN-related activity across multiple environments reveals how peer-to-peer proxy functionality can enable malware delivery, command-and-control traffic, and cryptomining. Darktrace data highlights consistent patterns, suspicious downloads from rare endpoints, and post-compromise behavior, demonstrating how seemingly benign software can obscure threats and facilitate further malicious activity.
Min Kim
Cyber Security Analyst
Read more
Network
June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

This blog examines how attackers abuse the Chinese-developed Nezha monitoring tool, a legitimate open-source platform with remote access capabilities. Darktrace analysis of a honeypot intrusion highlights malicious deployment via containers, demonstrating how dual-use software enables stealthy operations, trust inversion, and detection challenges in dynamic cloud and enterprise environments modern.
Nathaniel Bill
Malware Research Engineer
Read more
Network
May 21, 2026

Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year

Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more

Blog

/

AI

/

June 24, 2026

A New Security Challenge: The Curious Case of Prompt Language Analysis

Default blog imageDefault blog image

Why prompt analysis is emerging as a key AI security challenge

If securing AI has been one of the defining cybersecurity conversations of the past year, prompt analysis is quickly becoming one of its most interesting frontiers.

Security leaders are under pressure to understand how AI is being used across the business. In some organizations, that means governing employee use of chatbots. In others, it means overseeing copilots embedded into SaaS platforms, monitoring coding assistants, or assessing the growing footprint of autonomous agents. However different these use cases may appear on the surface, they share a common factor: humans and machines are usually interacting with enterprise systems through language.  

How prompt language differs from traditional security telemetry

For years, defenders have become used to working with familiar forms of telemetry: email traffic, network connections, API calls, endpoint processes, authentication events. Prompt language is different. It is not simply another log source. It is an expression of intent, instruction, curiosity, urgency, and sometimes manipulation. It reflects the end-goal of a user or agent, but not always with enough surrounding context to interpret the risk correctly.

Why existing security approaches only partially explain prompt risk

A growing number of vendors are approaching the task of securing AI from the angle they know best. Perimeter vendors are extending web or browser controls into AI usage. Identity vendors are emphasizing agent permissions and access governance. Data security and DLP providers are focusing on content inspection and exfiltration risk. All of these perspectives matter, but individually can’t fully explain the problem.

The challenge with securing AI is not just that a new application category has emerged. It is that language has become a new operating layer in the enterprise.

Employees now use prompts to summarize documents, generate code, analyze spreadsheets, query internal knowledge, and trigger multi-step actions through agents. In each case, prompt language acts as the interface between human intent and machine execution. That makes prompts incredibly valuable from a security perspective as they can hint at misuse, policy violations, data exposure, or attempts to circumvent controls. However, they can also be deeply ambiguous when viewed in isolation. That ambiguity is the heart of the issue.

Prompts as behavioral signals, not just text to classify

A prompt by itself tells you what was asked. It does not necessarily tell you whether the request is expected, risky, accidental, or entirely legitimate in context. Two nearly identical prompts can carry very different meanings depending on the role and function of who issued them, what systems they can access, and what actions followed. In other words, prompts are not just text to classify. They are behavioral signals to interpret.

Example: How context changes prompt risk entirely

Consider a common enterprise scenario. An employee is pulled into a new project with an aggressive deadline. Almost overnight, their use of AI tools spikes. They begin prompting more frequently, working across unfamiliar documents, querying new data sources, and interacting with more systems than usual to accelerate delivery. Viewed narrowly, this may look suspicious. Prompt volume increases, file access patterns change, API and SaaS activity rise. From some vantage points, it may resemble insider risk or unmanaged AI usage.

But now add context. Imagine that, earlier that day, the employee received instructions from a senior leader asking them to support a time-sensitive initiative. Their communication history shows that this leader is a legitimate reporting-line superior. Their recent collaboration patterns align with the new project team. Their subsequent activity, while unusual for that individual’s baseline, is consistent with the business task they were assigned.

What initially looked like a risk event may actually be a normal response to business pressure. Without the surrounding context of communication, organizational relationships, and broader behavioral patterns, prompt activity alone could generate more noise than insight.

The reverse is also true. A prompt may appear benign on the surface while the context around it suggests elevated risk. A request that seems routine could originate from a compromised user, a newly connected external agent, a shadow AI workflow, or a user acting outside their normal role. The language itself may not contain anything obviously malicious, but the surrounding conditions may tell a very different story.

What security teams need to analyze prompts effectively

The future of prompt analysis is not just about understanding language. It is about understanding language in context.

To do that well, security teams need more than prompt inspection. They need to understand:

  • Who is issuing the prompt, whether human or agent
  • How that identity normally behaves across the enterprise
  • What systems, data, and workflows are connected to the interaction
  • Which relationships and communications explain the surrounding activity
  • Whether the downstream actions align with expected business behavior

When those layers are absent, prompt analysis can become another isolated control surface: useful in theory, but limited in practice. Security teams may detect unusual wording but miss the operational function behind it, overreact to benign changes in behavior, or miss subtle misuse because the prompt itself did not appear dangerous.

How organizations should think about prompt analysis going forward

Security teams have seen this pattern before. In the cloud, posture without runtime context left important gaps. In identity, access control without behavioral understanding missed misuse that looked legitimate on paper. In data security, content inspection without business context often created friction without resolving risk. AI is exposing the same lesson again: controls are strongest when they are coordinated, not isolated. As organizations work to secure AI and identify gaps across their security operations, prompt analysis will become an increasingly important source of insight, but only as part of a broader strategy.

Prompt analysis will undoubtedly become more common, as prompts are one of the clearest windows into how people and agents are using AI systems. However, what matters most is not simply collecting prompts or filtering dangerous phrases, but being able to place that language inside a wider behavioral and operational picture.

Organizations that already have a broader understanding of how work gets done across the enterprise will be better positioned to make sense of prompt language as this category matures. They will be better able to distinguish urgency from abuse, experimentation from exfiltration, and productive AI adoption from hidden risk.

Figure 1: Darktrace / SECURE AI reconstructs the full sequence of events, showing every user and agent interaction in context, with risky prompts highlighted and categorized, including PII, sensitive data, and other policy violations.

At Darktrace, this is the key lesson emerging from the market: prompt language does matter, but it does not stand alone. It is most valuable when treated as a new behavioral input that can enrich understanding across the enterprise, not as a self-contained source of truth.

Why prompts become less useful when analyzed in isolation

The curious case of prompt language analysis, then, is this: the more important prompts become, the less useful they are in a vacuum.

The real opportunity is not just to see what was asked. It is to understand why it was asked, what it meant in that moment, and what happened next.

For a deeper look at how organizations are approaching this challenge from the strengths of prompt analysis to its limitations in isolation see Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches, which expands on the role prompt-level controls play within a broader, context-driven security strategy.

Continue reading
About the author
Nabil Zoldjalali
VP, Field CISO

Blog

/

AI

/

June 23, 2026

Advancing the Use of Frontier AI in Cybersecurity: Darktrace Joins the OpenAI Daybreak Cyber Partner Program to Explore Defensive AI Integrations

Default blog imageDefault blog image

Darktrace joins the OpenAI Daybreak Cyber Partner Program

Today, we announced that Darktrace is joining the OpenAI Daybreak Cyber Partner Program. We’ll be partnering with OpenAI to explore how their cyber capabilities can be integrated within Darktrace products and services to bring new capabilities to our customers.

This partnership is an exciting opportunity to bring together Darktrace’s behavioral AI modelling of the organization with OpenAI’s advanced contextual capabilities to create a new level of understanding for security teams. To understand the impact, it’s helpful to start with how we think about the problem.  

At Darktrace, we built our AI in support of the core belief that cybersecurity needs to understand the business it is defending. That's why our Self-Learning AI is designed to help organizations understand normal and abnormal behavior for each organization across their digital environment, including users and identities, networks and cloud, email and collaboration tools, and now AI systems and agents with the rollout of Darktrace / SECURE AI™.  

Our goal was never simply to spot known attacks faster. It was to help defenders understand how their organization behaves, potential risks and impact, and where disruption could take hold so they could prepare for the unknown threats that they may not have seen or even imagined before.  

That’s exactly what is happening across the threat landscape today. Attacks keep changing; techniques shift, infrastructure evolves, and attackers move with more speed, precision, and context. And now they have even more AI and automation on their side. Attackers are exploiting identities, trusted services, SaaS applications, and business workflows. They are not always breaking in; often, the threat may come from within the organization in the form of insider threat or even rogue agents.  

In this reality, defenders need a combination of deep AI modelling of the organization and AI that can connect identified threats to concrete business context, translating this information into real world value, and allow action before risk becomes disruption.

That is the opportunity we see in partnering with OpenAI.  

What is the OpenAI Daybreak Cyber Partner Program and why is Darktrace joining

The OpenAI Daybreak Cyber Partner Program is focused on advancing the safe use of AI for cybersecurity. As part of the program’s next phase, OpenAI is working with a select group of trusted partners including Darktrace on scoped product integrations, managed services, and partner-delivered defensive capabilities. We’ll be exploring how OpenAI’s advanced frontier AI capabilities can support defenders in the tools and workflows they already use each day.

For Darktrace, this is a natural extension of our expertise and the work we have been doing for a decade: safely and securely applying the most effective AI techniques in combination to understand organizations, detecting malicious activity at the earliest indicators, and helping cyber defenders act faster.  

By using the advanced models and more precise safeguards available in the OpenAI Daybreak Cyber Partner Program, Darktrace and OpenAI will combine Darktrace’s real-time behavioral understanding of an organization's digital estate with OpenAI's ability to interpret wider business context.  

This is a unique and powerful combination of insights that could give organizations deeper context on technical risk and help them prioritize workloads and investigations based on potential impact to revenue, operations, and resilience. It can also provide security teams and executives with intelligence into which events matter most to the business, why they matter, and what action to take. Not just finding, for instance, that an agent is compromised, but highlighting that the compromised agent could shut down order fulfilment within the next three hours.  

Why the Darktrace and OpenAI partnership matters for defenders

Security teams today have more attack surface, more complex environments to protect, and an increasing volume of threats. The ability to act quickly is critical, but they also need to be able to focus on the risks that could have the greatest business impact.

That is especially important as attackers use AI to scale phishing, automate reconnaissance, find weaknesses, and blend into normal business activity. At the same time, organizations and their employees are using AI to innovate, which introduces an even broader attack surface and new set of risks. Defenders need AI that can operate across the same complexity, but safely, transparently, and in service of building more resilience. And they need a way to safely adopt, govern, and defend AI across their organizations.

Joining the OpenAI Daybreak Cyber Partner Program is another step in that direction. We are still early in this work, and we will take a careful, disciplined approach. But the direction is clear: protecting organizations requires AI that understands the business, not just the attack.

At Darktrace, that is exactly where we remain focused and why we are so excited about this partnership with OpenAI.  

[related-resource]

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI