https://github.com/osquery/osquery logo
Join Slack
Powered by
j
s
The query should be 
WHERE path LIKE
instead of 
filename
j
Okay, but i want to find the path 😅
Of all the jar files
Or log4j specifically
f
You cannot recursively crawl the entire disk looking for arbitrary files. You need to have an idea of where items are generally located to use the 
file
table while using LIKE statements otherwise you will run into incomplete output due to symlink loops, or onerous runtimes due to the difficulty of crawling the whole disk.
👍 2
IIRC @zwass has written up a PoC query for locating vulnerable loaded jar files using yara: https://blog.fleetdm.com/detect-log4j-with-osquery-and-fleet-e29c9de18ac9
👍 1
j
Ok got it, Thanks @fritz
6 Views
Open in Slack
PreviousNext
Powered by