Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

Fullscreen

1
2
3
4
5
6
7
8
9
10
11
SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

CraigJones

30 comments
0 members are here

Top Comments

Ninjatech1969 over 4 years ago

Hello Sophos Team,

I have tried to run this query above and getting results on workstations. However I am not sure what to make of this logs. One example is this..What does this mean thanks

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\HulKHogan\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FGRCBDJ1\TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf
- SaschaP over 4 years ago in reply to Ninjatech1969
  
  User "HulkHogan" opened this PDF "TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf" with the Microsoft Edge Browser (msedge.exe). Since the XDR query looks for literally anything containing the string "log4j" it will also show these instances
James Scott over 4 years ago

Is there a way to filter based on time stamp?

It would be good to run again after remediation to see whether there are further identifications.
- SaschaP over 4 years ago in reply to James Scott
  last 24 hrs
  
  Fullscreen
  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  11
  12
  13
  SELECT
  DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time,
  meta_hostname AS ep_name,
  name,
  cmdline,
  path,
  query_name,
  sophos_pid,
  pid
  FROM xdr_data
  WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
  AND LOWER(cmdline) LIKE '%log4j%'
  AND time > to_unixtime(current_timestamp) - (60*60*24)
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  SELECT DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time, meta_hostname AS ep_name, name, cmdline, path, query_name, sophos_pid, pid FROM xdr_data WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos') AND LOWER(cmdline) LIKE '%log4j%' AND time > to_unixtime(current_timestamp) - (60*60*24)
Kathleen Dannenberg over 4 years ago

We have been running this query but the results are a little confusing. It seems to pick up anything with 'Log4j' and so we are assuming we see browsing history, patch downloads, etc. Is this more than a keyword search? If we see results should we assume that Log4J is running and not just a detection on a keyword?

Here's an example from a workstation:

chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument us-cert.cisa.gov/.../cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19744:13283979647775536519744

chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument www.dell.com/.../additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19952:13284057944155856019952
Lisa Busby over 4 years ago

Thank you for sharing this!
Sophos User930 over 4 years ago
If you choose to use the environment variable
```
LOG4J_FORMAT_MSG_NO_LOOKUPS
```
to mitigate the issue, I suppose this would be a quick test to get a list of those computers with the value set one way or another.
```
SELECT
    variable,
    value,
    expand
FROM default_environment
where variable = "LOG4J_FORMAT_MSG_NO_LOOKUPS"
```
Konrad Herrmann over 4 years ago

Hello, can it be that macOS devices cannot upload data to the Data_Lake? If so, when does SOPHOS plan to change it?

docs.sophos.com/.../DataLakeUploads.html

Greets
- John Fry over 4 years ago in reply to Konrad Herrmann
  
  Seems like SOPHOS NEED TO UPDATE THEIR ONLINE DOCS: partnernews.sophos.com/.../
  - RL over 4 years ago in reply to Qoosh
    
    No worries. I completed a form online yesterday to let the Sophos KB team know
  - Qoosh over 4 years ago in reply to John Fry
    
    Hello John and Konrad,
    
    Thank you for bringing this to our attention. I have reached out to our KB Team to update this as soon as possible.
Chris Shipley over 4 years ago

How long after enabling data lake should one wait to run the query?
- Sophos professional services Michael Curtis over 4 years ago in reply to Chris Shipley
  Run these queries:
  
  Device details - this will list all the machines in the Data Lake and how much data has been sent
  
  Data uploads to the Data Lake - this will show you how much data is in the whole data lake for each table. You are looking for data in these tables,
  
  running_processes_linux_events
  
  running_processes_osx_events
  
  running_processes_windows_sophos
  
  It shouldn't take long for the data to start coming into the data lake, a few hours
Donavon McKigney over 4 years ago

I just added servers to our DataLake. When I run the query it shows no results. How long after adding serves before they can be searched?
- CraigJones over 4 years ago in reply to Donavon McKigney
  
  It will take a few hours, the system runs queries on your servers to 'hydrate' the data lake.
  - Donavon McKigney over 4 years ago in reply to CraigJones
    
    Is there a way to see that this process has completed?
- Brad Krakow over 4 years ago in reply to Donavon McKigney
  
  It took a few hours for me, however I still don't have any results when I run this query. So I suspect that is a good thing. When I run other queries I get results.
Patrick Moubarak over 4 years ago

Don't forget to enable Data Lake Uploads to use this query: docs.sophos.com/.../DataLakeUploads.html
Jesse Cortez over 4 years ago

I have about 31 results. Most of them are from the same 5 computers. I don't see any any processes named "log4j" but does this mean that all results are vulnerable?
- CraigJones over 4 years ago in reply to Jesse Cortez
  
  I means that those 5 hosts have Log4j present.
  - CraigJones over 4 years ago in reply to Brad Krakow
    
    It would mean that you don't have Log4J loaded on your estate. It's not comprehensive however, definitely check your vendor security advisories.
  - Brad Krakow over 4 years ago in reply to CraigJones
    
    If it returns no results does that mean we have no exposure to this vulnerability?
View More

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Basic search to find Log4J running on hosts from the DataLake

Top Comments