Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

  • last 24 hrs

    SELECT
    DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS process_time,
    meta_hostname AS ep_name,
    name,
    cmdline,
    path,
    query_name,
    sophos_pid,
    pid
    FROM xdr_data
    WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
    AND LOWER(cmdline) LIKE '%log4j%'
    AND time > to_unixtime(current_timestamp) - (60*60*24)

  • User "HulkHogan" opened this PDF "TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf" with the Microsoft Edge Browser (msedge.exe). Since the XDR query looks for literally anything containing the string "log4j" it will also show these instances

  • Hello Sophos Team,

    I have tried to run this query above and getting results on workstations. However I am not sure what to make of this logs. One example is this..What does this mean thanks

    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\HulKHogan\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FGRCBDJ1\TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf

  • Is there a way to filter based on time stamp?

    It would be good to run again after remediation to see whether there are further identifications.

  • We have been running this query but the results are a little confusing. It seems to pick up anything with 'Log4j' and so we are assuming we see browsing history, patch downloads, etc. Is this more than a keyword search? If we see results should we assume that Log4J is running and not just a detection on a keyword?

    Here's an example from a workstation: 

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument us-cert.cisa.gov/.../cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19744:13283979647775536519744

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument www.dell.com/.../additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19952:13284057944155856019952