Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

  • last 24 hrs

    SELECT
    DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time,
    meta_hostname AS ep_name,
    name,
    cmdline,
    path,
    query_name,
    sophos_pid,
    pid
    FROM xdr_data
    WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
    AND LOWER(cmdline) LIKE '%log4j%'
    AND time > to_unixtime(current_timestamp) - (60*60*24)

  • User "HulkHogan" opened this PDF "TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf" with the Microsoft Edge Browser (msedge.exe). Since the XDR query looks for literally anything containing the string "log4j" it will also show these instances

  • Hello Sophos Team,

    I have tried to run this query above and getting results on workstations. However I am not sure what to make of this logs. One example is this..What does this mean thanks

    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\HulKHogan\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FGRCBDJ1\TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf

  • Is there a way to filter based on time stamp?

    It would be good to run again after remediation to see whether there are further identifications.

  • We have been running this query but the results are a little confusing. It seems to pick up anything with 'Log4j' and so we are assuming we see browsing history, patch downloads, etc. Is this more than a keyword search? If we see results should we assume that Log4J is running and not just a detection on a keyword?

    Here's an example from a workstation: 

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument us-cert.cisa.gov/.../cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19744:13283979647775536519744

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument www.dell.com/.../additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19952:13284057944155856019952

  • I created a new Live Endpoint query that searches the sophos_file_journal table for any directory events containing "Log4" keyword. I'm not sure how accurate this approach is but it sure helped us locate bunch of servers needing Log4jShell remediation.

    SELECT
    pathname, sophosPID, subject, eventType, event_type
    FROM
    sophos_file_journal
    WHERE
    pathname LIKE '%Log4%';

  • No worries. I completed a form online yesterday to let the Sophos KB team know Slight smile

  • Hello John and Konrad,

    Thank you for bringing this to our attention. I have reached out to our KB Team to update this as soon as possible.