Browse Live Discover and Response Queries by Category
Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

CraigJones
Parents

  • Hello Sophos Team,

    I have tried to run this query above and getting results on workstations. However I am not sure what to make of this logs. One example is this..What does this mean thanks

    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\HulKHogan\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FGRCBDJ1\TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf

Comment

  • Hello Sophos Team,

    I have tried to run this query above and getting results on workstations. However I am not sure what to make of this logs. One example is this..What does this mean thanks

    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\HulKHogan\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FGRCBDJ1\TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf

Children
  • in reply to Ninjatech1969

    User "HulkHogan" opened this PDF "TLPGREEN_CYIM-21-028.1_UPDATE_Log4j Vulnerability Exploited in the Wild_20211213.pdf" with the Microsoft Edge Browser (msedge.exe). Since the XDR query looks for literally anything containing the string "log4j" it will also show these instances

Unfiltered HTML