Browse Live Discover and Response Queries by Category
Approved

Basic search to find Log4J running on hosts from the DataLake

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate.

SELECT
meta_hostname AS ep_name,
name,
cmdline,
path,
query_name,
sophos_pid,
pid
FROM xdr_data
WHERE query_name IN( 'running_processes_linux_events', 'running_processes_osx_events', 'running_processes_windows_sophos')
AND LOWER(cmdline) LIKE '%log4j%'

CraigJones
Parents

  • We have been running this query but the results are a little confusing. It seems to pick up anything with 'Log4j' and so we are assuming we see browsing history, patch downloads, etc. Is this more than a keyword search? If we see results should we assume that Log4J is running and not just a detection on a keyword?

    Here's an example from a workstation: 

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument us-cert.cisa.gov/.../cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19744:13283979647775536519744

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument www.dell.com/.../additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19952:13284057944155856019952

Comment

  • We have been running this query but the results are a little confusing. It seems to pick up anything with 'Log4j' and so we are assuming we see browsing history, patch downloads, etc. Is this more than a keyword search? If we see results should we assume that Log4J is running and not just a detection on a keyword?

    Here's an example from a workstation: 

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument us-cert.cisa.gov/.../cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19744:13283979647775536519744

    chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument www.dell.com/.../additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228C:\Program Files (x86)\Google\Chrome\Application\chrome.exerunning_processes_windows_sophos19952:13284057944155856019952

Children
No Data
Unfiltered HTML