Title
#general
John S

John S

01/04/2022, 5:53 PM
s

sharvil

01/04/2022, 5:55 PM
The query should be
WHERE path LIKE
instead of
filename
John S

John S

01/04/2022, 5:57 PM
Okay, but i want to find the path 😅
5:57 PM
Of all the jar files
5:57 PM
Or log4j specifically
f

fritz

01/04/2022, 6:34 PM
You cannot recursively crawl the entire disk looking for arbitrary files. You need to have an idea of where items are generally located to use the
file
table while using LIKE statements otherwise you will run into incomplete output due to symlink loops, or onerous runtimes due to the difficulty of crawling the whole disk.
6:36 PM
IIRC @zwass has written up a PoC query for locating vulnerable loaded jar files using yara: https://blog.fleetdm.com/detect-log4j-with-osquery-and-fleet-e29c9de18ac9
John S

John S

01/04/2022, 7:52 PM
Ok got it, Thanks @fritz