Playbook: Internal Host SSH Log4j Investigate

Description

Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting information specific to the December 2021 log4j vulnerability disclosure. This includes the java version installed on the host, any running java processes, and the results of a scan for the affected JndiLookup.class file or log4j .jar files.

Type: Investigation Date: 2021-12-14 Author: Philip Royer, Splunk ID: 49b2b88c-8e22-48a6-8808-ace1efcb194b

Apps:

Associated Detections

How To Implement

The ssh asset requires sudo access to scan the whole file system.

Explore Playbook

Required fields

Reference

https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh

source | version: 1