Internal Host SSH Log4j Investigate

Description

Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting information specific to the December 2021 log4j vulnerability disclosure. This includes the java version installed on the host, any running java processes, and the results of a scan for the affected JndiLookup.class file or log4j .jar files.

Type: Investigation
Product: Splunk SOAR
Apps: SSH
Last Updated: 2021-12-14
Author: Philip Royer, Splunk
ID: 49b2b88c-8e22-48a6-8808-ace1efcb194b
Use-cases:

Associated Detections

How To Implement

The ssh asset requires sudo access to scan the whole file system.

Explore Playbook

Required field

Reference

https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh

source | version: 1

Twitter Facebook LinkedIn

Internal Host SSH Log4j Investigate

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

O365 New Forwarding Mailflow Rule Created

Okta Successful Single Factor Authentication

Windows Unsigned MS DLL Side-Loading

Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path