https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
j

John S

01/04/2022, 5:53 PM
s

sharvil

01/04/2022, 5:55 PM
The query should be 
WHERE path LIKE
instead of 
filename
j

John S

01/04/2022, 5:57 PM
Okay, but i want to find the path 😅
Of all the jar files
Or log4j specifically
f

fritz

01/04/2022, 6:34 PM
You cannot recursively crawl the entire disk looking for arbitrary files. You need to have an idea of where items are generally located to use the 
file
table while using LIKE statements otherwise you will run into incomplete output due to symlink loops, or onerous runtimes due to the difficulty of crawling the whole disk.
👍 2
IIRC @zwass has written up a PoC query for locating vulnerable loaded jar files using yara: https://blog.fleetdm.com/detect-log4j-with-osquery-and-fleet-e29c9de18ac9
👍 1
j

John S

01/04/2022, 7:52 PM
Ok got it, Thanks @fritz
6 Views
Powered by