Playbook: Internal Host WinRM Log4j Investigate

Description

Published in response to CVE-2021-44228, this playbook uses WinRM to scan Windows endpoints for the presence of "jndilookup.class" in all .jar files. The presence of that string could indicate a log4j vulnerability.

Type: Investigation Date: 2021-12-14 Author: Kelby Shelton, Splunk ID: 2cf7c9f4-b273-44f6-a27c-e0db668ff05a

Apps:

Associated Detections

How To Implement

The winrm asset requires Administrator access to scan the whole file system.

Explore Playbook

Required fields

Reference

https://twitter.com/CyberRaiju/status/1469505677580124160

source | version: 1