Uma Reddy ureddy-uptycs

## gist:2174030b09f7af340fbe7a777f87b170
WITH
logs AS (
  SELECT DISTINCT path, system_id, system_type
  FROM process_open_files
  WHERE system_type = 'docker_container'
        AND path LIKE '%.log'),
open AS (
  SELECT d.name, d.image, d.image_id, l.*
  FROM docker_containers d, logs l
  WHERE d.id = l.system_id)

## gist:d75db6d88122c29469b7fd1395801fe2
WITH
procs AS (
  SELECT pid, name, cmdline
  FROM processes
  WHERE is_container_process = 0),
logs AS (
  SELECT DISTINCT o.pid, o.path, p.name, p.cmdline
  FROM process_open_files o
  JOIN procs p USING (pid)
  WHERE o.system_type = 'host'

## osquery_yara_rule.sql
SELECT *
FROM yara
WHERE
(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%')
  OR path LIKE '/var/log/%%' )
AND (
rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
	WITH
	logs AS (
	SELECT DISTINCT path, system_id, system_type
	FROM process_open_files
	WHERE system_type = 'docker_container'
	AND path LIKE '%.log'),
	open AS (
	SELECT d.name, d.image, d.image_id, l.*
	FROM docker_containers d, logs l
	WHERE d.id = l.system_id)
	WITH
	procs AS (
	SELECT pid, name, cmdline
	FROM processes
	WHERE is_container_process = 0),
	logs AS (
	SELECT DISTINCT o.pid, o.path, p.name, p.cmdline
	FROM process_open_files o
	JOIN procs p USING (pid)
	WHERE o.system_type = 'host'
	SELECT *
	FROM yara
	WHERE
	(path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%')
	OR path LIKE '/var/log/%%' )
	AND (
	rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
	meta:
	description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
	author = "Florian Roth"