Title
#fleet
Mystery Incorporated

Mystery Incorporated

12/11/2021, 4:23 AM
Or fleet will report version it sees of log4j below 2.15 as vulnerable?
zwass

zwass

12/12/2021, 10:19 PM
Osquery doesn't have a way to detect Java libraries, so we won't be able to do so directly.
Gavin

Gavin

12/13/2021, 12:57 AM
My thought process is every log4j instance is vulnerable until patched so planning to do Osquery yara based scanning using the following as a starting point to identify any usage in the estate https://github.com/timb-machine/log4j
zwass

zwass

12/13/2021, 1:00 AM
Oh nice, good idea to use yara.
Gavin

Gavin

12/13/2021, 1:02 AM
May also be a nice blog post 🙂 for fleet.
j

Juan Alvarez

12/13/2021, 11:54 AM
i would love to see that, i dont know much about yara but i would definitely love to learn good uses for it
Gavin

Gavin

12/13/2021, 12:49 PM
I consider Yara strings on steroids , it’s probably not the most efficient use of Osquery tables here, as the file table would be quicker for determine the existing of the Java libs and then Yara to do a strings match.
12:49 PM
However if you want strings matching then a bespoke shell out would potentially be better using an extension.
zwass

zwass

12/13/2021, 9:46 PM
@Gavin here's what I came up with based on that:
WITH target_jars AS
(SELECT DISTINCT path from
(WITH split(word, str) AS (
    SELECT '', cmdline||' ' FROM processes
    UNION ALL SELECT
    substr(str, 0, instr(str, ' ')),
    substr(str, instr(str, ' ')+1)
    FROM split WHERE str!=''
) SELECT word AS path FROM split WHERE word like '%.jar'
UNION ALL
select path from process_open_files where path like '%.jar'
)) select path, matches from yara where path in (select path from target_jars) and count > 0 and sigrule IN (
'rule log4jJndiLookup {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Hunts for references to Log4J JndiLookup"
  strings:
    $jndilookup = "JndiLookup"
  condition:
    $jndilookup
}',
'rule log4jjavaclass {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Hunts for references to Log4J java in class form"
  strings:
    $javaclass = "org/apache/logging/log4j"
  condition:
    $javaclass
}'
);
9:46 PM
Blog post forthcoming
Gavin

Gavin

12/13/2021, 9:53 PM
Uptycs already got one out on the similar Vain
9:53 PM
Although how to use Yara with orbit would be a very interesting read
9:54 PM
Or a Yara rule endpoint on fleet webserver
zwass

zwass

12/13/2021, 9:56 PM
They have some good queries there. Their Yara rules (https://gist.github.com/ureddy-uptycs/4fdd68e859f022e65e7b7779e247f0d0) seem to be detecting exploitation, not existence of the library.
9:58 PM
Some of the queries don't work though either because they have invalid syntax or reference tables that don't exist in osquery (I guess they are in Uptycs' agent fork?)
Gavin

Gavin

12/13/2021, 10:07 PM
Very good point, I would like to see vanilla detections, My mitigations / detections ended up breaking out of OSquery for quickness but I am going to look into wrapping the tooling used into an extension instead. Mainly rg for quickness.
10:13 PM
Also 🔥 Query.
10:16 PM
Ran on 1K hosts very quick found all known detections we had today
10:17 PM
zwass

zwass

12/13/2021, 11:31 PM
Awesome glad to hear that!
Mystery Incorporated

Mystery Incorporated

12/14/2021, 1:54 AM
yea I don't know anything abvout YARA but as good as any time to learn I spose
SK

SK

12/14/2021, 2:25 PM
Opened this a while ago for Yara endpoint on Fleet, maybe time to revisit it 😉 https://github.com/fleetdm/fleet/issues/1047
Gavin

Gavin

12/14/2021, 2:39 PM
Will comment on the issue I have actually given this a whole bunch of thought over the past days about pro’s and con’s of a public Yara ruleset for your business. We currently have some basic rules deployed via puppet to localhost and loaded as a config. I imagine this may be a really good feature for orbit where you can define rules orbit can pick them up and load them on the fly for privacy.
SK

SK

12/14/2021, 2:49 PM
What I was thinking was that Fleet be the repo and Osquery gets the yara rules from there.
Gavin

Gavin

12/14/2021, 2:53 PM
The fleet server itself? , Hypothetical question. What happens if a business you expose your server to the internet so you can monitor devices off VPN And you have a whole bunch of proprietary Yara rules does osquery support auth to that endpoint? One option is to make the endpoint something like
fleet/secretstring/rule
in the absence of something like mutual TLS or any other auth.
SK

SK

12/14/2021, 3:12 PM
Hey @Gavin did not think about proprietary Yara rules, that is a good question. My view was that, for example, through the UI you can import Yara rules and deploy them to the osquery agents.
j

Juan Alvarez

12/14/2021, 3:57 PM
Nice query, is there any table that can be used instead of
process_open_files
to be able to run this query in windows endpoints? 🙂