Uma Reddy ureddy-uptycs
ureddy-uptycs
/ gist:2174030b09f7af340fbe7a777f87b170
Last active
December 17, 2021 23:04
A SQL query that can be run as a realtime query in osquery to yara scan all log files opened by processes running inside a container to detect log4j vulnerability CVE-2021-44228
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WITH | |
| logs AS ( | |
| SELECT DISTINCT path, system_id, system_type | |
| FROM process_open_files | |
| WHERE system_type = 'docker_container' | |
| AND path LIKE '%.log'), | |
| open AS ( | |
| SELECT d.name, d.image, d.image_id, l.* | |
| FROM docker_containers d, logs l | |
| WHERE d.id = l.system_id) |
ureddy-uptycs
/ gist:d75db6d88122c29469b7fd1395801fe2
Last active
December 17, 2021 23:02
A SQL query that can be run as a realtime query in osquery to yara scan all log files opened by processes running on a host to detect log4j vulnerability CVE-2021-44228
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| WITH | |
| procs AS ( | |
| SELECT pid, name, cmdline | |
| FROM processes | |
| WHERE is_container_process = 0), | |
| logs AS ( | |
| SELECT DISTINCT o.pid, o.path, p.name, p.cmdline | |
| FROM process_open_files o | |
| JOIN procs p USING (pid) | |
| WHERE o.system_type = 'host' |
ureddy-uptycs
/ osquery_yara_rule.sql
Created
December 13, 2021 03:11
A SQL query that can be run as a realtime query in osquery to detect if java processes running on a host have opened log files that contain the yara signature specified in the query. The yara rules are used to detect log4j vulnerability CVE-2021-44228
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT * | |
| FROM yara | |
| WHERE | |
| (path IN (SELECT path FROM process_open_files WHERE pid IN (SELECT pid FROM processes WHERE name = 'java') AND path LIKE '%.log' AND path NOT LIKE '%kafka%') | |
| OR path LIKE '/var/log/%%' ) | |
| AND ( | |
| rule = 'rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft { | |
| meta: | |
| description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228" | |
| author = "Florian Roth" |