Playbook: Internal Host WinRM Log4j Investigate

Description

Published in response to CVE-2021-44228, this playbook uses WinRM to scan Windows endpoints for the presence of "jndilookup.class" in all .jar files. The presence of that string could indicate a log4j vulnerability.

Type: Investigation Date: 2021-12-14 Author: Kelby Shelton, Splunk ID: 2cf7c9f4-b273-44f6-a27c-e0db668ff05a

Apps

Windows Remote Management

How To Implement

The winrm asset requires Administrator access to scan the whole file system.

Explore Playbook

Click the playbook screenshot to explore in more detail!

Reference

https://twitter.com/CyberRaiju/status/1469505677580124160

source | version: 1