Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.
SELECT meta_hostname AS ep_name, name, cmdline, path, query_name, sophos_pid, pid FROM xdr_data WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos') AND LOWER(cmdline) LIKE '%log4j%'
What if I don't have DataLake setup. How can I run in live query?
You need to run it on the DataLake not Livequery
Don't forget to enable Data Lake Uploads to use this query: docs.sophos.com/.../DataLakeUploads.html
last 24 hrs
SELECT DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time, meta_hostname AS ep_name, name, cmdline, path, query_name, sophos_pid, pid FROM xdr_data WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos') AND LOWER(cmdline) LIKE '%log4j%' AND time > to_unixtime(current_timestamp) - (60*60*24)
User "HulkHogan" opened this PDF "TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf" with the Microsoft Edge Browser (msedge.exe). Since the XDR query looks for literally anything containing the string "log4j" it will also show these instances
Hello Sophos Team,
I have tried to run this query above and getting results on workstations. However I am not sure what to make of this logs. One example is this..What does this mean thanks
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\HulKHogan\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FGRCBDJ1\TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf
Is there a way to filter based on time stamp?
It would be good to run again after remediation to see whether there are further identifications.
We have been running this query but the results are a little confusing. It seems to pick up anything with 'Log4j' and so we are assuming we see browsing history, patch downloads, etc. Is this more than a keyword search? If we see results should we assume that Log4J is running and not just a detection on a keyword?
Here's an example from a workstation:
chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument us-cert.cisa.gov/.../cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19744:13283979647775536519744
chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument www.dell.com/.../additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19952:13284057944155856019952
Thank you for sharing this!
Nice work!
I created a new Live Endpoint query that searches the sophos_file_journal table for any directory events containing "Log4" keyword. I'm not sure how accurate this approach is but it sure helped us locate bunch of servers needing Log4jShell remediation.
SELECTpathname, sophosPID, subject, eventType, event_typeFROMsophos_file_journalWHEREpathname LIKE '%Log4%';
No worries. I completed a form online yesterday to let the Sophos KB team know
Hello John and Konrad,
Thank you for bringing this to our attention. I have reached out to our KB Team to update this as soon as possible.