Mystery Incorporated
12/11/2021, 4:23 AMzwass
Gavin
12/13/2021, 12:57 AMzwass
Gavin
12/13/2021, 1:02 AMJuan Alvarez
12/13/2021, 11:54 AMGavin
12/13/2021, 12:49 PMGavin
12/13/2021, 12:49 PMzwass
WITH target_jars AS
(SELECT DISTINCT path from
(WITH split(word, str) AS (
SELECT '', cmdline||' ' FROM processes
UNION ALL SELECT
substr(str, 0, instr(str, ' ')),
substr(str, instr(str, ' ')+1)
FROM split WHERE str!=''
) SELECT word AS path FROM split WHERE word like '%.jar'
UNION ALL
select path from process_open_files where path like '%.jar'
)) select path, matches from yara where path in (select path from target_jars) and count > 0 and sigrule IN (
'rule log4jJndiLookup {
meta:
author = "Tim Brown @timb_machine"
description = "Hunts for references to Log4J JndiLookup"
strings:
$jndilookup = "JndiLookup"
condition:
$jndilookup
}',
'rule log4jjavaclass {
meta:
author = "Tim Brown @timb_machine"
description = "Hunts for references to Log4J java in class form"
strings:
$javaclass = "org/apache/logging/log4j"
condition:
$javaclass
}'
);
zwass
Gavin
12/13/2021, 9:53 PMGavin
12/13/2021, 9:53 PMGavin
12/13/2021, 9:54 PMGavin
12/13/2021, 9:55 PMzwass
zwass
Gavin
12/13/2021, 10:07 PMGavin
12/13/2021, 10:13 PMGavin
12/13/2021, 10:16 PMGavin
12/13/2021, 10:17 PMzwass
Mystery Incorporated
12/14/2021, 1:54 AMSK
12/14/2021, 2:25 PMGavin
12/14/2021, 2:39 PMSK
12/14/2021, 2:49 PMGavin
12/14/2021, 2:53 PMfleet/secretstring/rule
in the absence of something like mutual TLS or any other auth.SK
12/14/2021, 3:12 PMJuan Alvarez
12/14/2021, 3:57 PMprocess_open_files
to be able to run this query in windows endpoints? 🙂