Detecting Log4Shell with Wazuh On Windows
326 views
Skip to first unread message
Carlos los
Dec 30, 2021, 5:40:40 AM12/30/21
to Wazuh mailing list
Hi,
Like in this blog Detecting Log4Shell with Wazuh the given YAML file checks in Linux OS only.
Is there any SCA scan to check in Windows Agents too?
Thanks,
Carlos.
Alexander Bohorquez
Dec 30, 2021, 6:07:05 PM12/30/21
to Wazuh mailing list
Hello Carlos,
Thank you for using Wazuh!
It is recommended to use wodles for Windows because the SCA policy is prone to timeout on Windows due to the longer time duration it takes to scan the folders that log4j might exist in.
The configuration is as follows:
Share the wodle configuration with the agents by adding the following to /var/ossec/etc/shared/default/agent.conf
Or even better if you have a group for Windows systems, apply this setting to that group:
<wodle name="command">
<disabled>no</disabled>
<tag>log-4j</tag>
<command>powershell -command "$G = Get-ChildItem -Path 'C:\' -ErrorAction Ignore -Recurse -Filter "*log4j*.jar" | select -ExpandProperty FullName; IF ($G -ne $null) {$array = $G.Split([Environment]::NewLine); FOR ($i = 0; $i -le $array.count; $i+=1){tar -O -xf $array[$i] | Select-String -Pattern "Implementation-Version:"}}"</command>
<interval>24h</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
Note:
When setting commands in a shared agent configuration, you must enable remote commands for Agent Modules.
This is enabled by adding the following line to the file etc/local_internal_options.conf in the agent:
wazuh_command.remote_commands=1
Then, create the rule in /var/ossec/etc/rules/local_rules.xml to detect when the wodle has a match:
<rule id="100002" level="7">
<location>command_log-4j</location>
<description>Log4J detected.</description>
</rule>
<rule id="100003" level="12">
<if_sid>100002</if_sid>
<regex type="pcre2"> 2.10.| 2.11.| 2.12.| 2.13.| 2.14.| 2.15.</regex>
<description>Vulnerable Log4J version detected.</description>
</rule>
However, you can still use the SCA policy by specifying the specific folders that you expect java libraries to be saved in. Replace the value of the -Path variable in the rule with any other path you think is relevant. Or you can add another line of rule and specify other folders you want to scan.
Some folders you might want to scan are C:\Program Files\Java\ and C:\Program Files (x86)\Java\
policy:
id: "log4j_check"
file: "log4j_check.yml"
name: "Log4j dependency check"
description: "This document provides prescriptive guidance for identifying Log4j RCE vulnerability"
references:
- <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>
- <https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>
requirements:
title: "Check if Java is present on the machine"
description: "Requirements for running the SCA scan against machines with Java on them."
condition: any
rules:
- 'r:HKLM\SOFTWARE\Javasoft'
- 'd:C:\Program Files (x86)\Java'
- 'd:C:\Program Files\Java'
checks:
- id: 10000
title: "Ensure Log4j is not on the system or under 2.16"
description: "The Log4j library is vulnerable to RCE on versions between 2.10 and 2.15. (TEST1)"
remediation: "Update the log4j library to version 2.16 or set log4j2.formatMsgNoLookups to true if possible."
condition: none
rules:
- 'c:powershell -command "$G = Get-ChildItem -Path ''C:\'' -ErrorAction Ignore -Recurse -Filter "*log4j*.jar" | select -ExpandProperty FullName; IF ($G -ne $null) {$array = $G.Split([Environment]::NewLine); FOR ($i = 0; $i -le $array.count; $i+=1){tar -O -xf $array[$i] | Select-String -Pattern "Implementation-Version:"}}" -> r: 2.10.| 2.11.| 2.12.| 2.13.| 2.14.| 2.15.'
- id: 10001
title: "Ensure Java is not running or is properly configured"
description: "The Log4j library is vulnerable to RCE on versions between 2.10 and 2.15."
remediation: "Update the log4j library to version 2.16 or set log4j2.formatMsgNoLookups to true if possible."
condition: any
rules:
- 'c:tasklist -> r:java'
I hope this helps. Please let us know if you have any questions!
Thank you for using Wazuh!
It is recommended to use wodles for Windows because the SCA policy is prone to timeout on Windows due to the longer time duration it takes to scan the folders that log4j might exist in.
The configuration is as follows:
Share the wodle configuration with the agents by adding the following to /var/ossec/etc/shared/default/agent.conf
Or even better if you have a group for Windows systems, apply this setting to that group:
<wodle name="command">
<disabled>no</disabled>
<tag>log-4j</tag>
<command>powershell -command "$G = Get-ChildItem -Path 'C:\' -ErrorAction Ignore -Recurse -Filter "*log4j*.jar" | select -ExpandProperty FullName; IF ($G -ne $null) {$array = $G.Split([Environment]::NewLine); FOR ($i = 0; $i -le $array.count; $i+=1){tar -O -xf $array[$i] | Select-String -Pattern "Implementation-Version:"}}"</command>
<interval>24h</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
Note:
When setting commands in a shared agent configuration, you must enable remote commands for Agent Modules.
This is enabled by adding the following line to the file etc/local_internal_options.conf in the agent:
wazuh_command.remote_commands=1
Then, create the rule in /var/ossec/etc/rules/local_rules.xml to detect when the wodle has a match:
<rule id="100002" level="7">
<location>command_log-4j</location>
<description>Log4J detected.</description>
</rule>
<rule id="100003" level="12">
<if_sid>100002</if_sid>
<regex type="pcre2"> 2.10.| 2.11.| 2.12.| 2.13.| 2.14.| 2.15.</regex>
<description>Vulnerable Log4J version detected.</description>
</rule>
However, you can still use the SCA policy by specifying the specific folders that you expect java libraries to be saved in. Replace the value of the -Path variable in the rule with any other path you think is relevant. Or you can add another line of rule and specify other folders you want to scan.
Some folders you might want to scan are C:\Program Files\Java\ and C:\Program Files (x86)\Java\
policy:
id: "log4j_check"
file: "log4j_check.yml"
name: "Log4j dependency check"
description: "This document provides prescriptive guidance for identifying Log4j RCE vulnerability"
references:
- <https://nvd.nist.gov/vuln/detail/CVE-2021-44228>
- <https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>
requirements:
title: "Check if Java is present on the machine"
description: "Requirements for running the SCA scan against machines with Java on them."
condition: any
rules:
- 'r:HKLM\SOFTWARE\Javasoft'
- 'd:C:\Program Files (x86)\Java'
- 'd:C:\Program Files\Java'
checks:
- id: 10000
title: "Ensure Log4j is not on the system or under 2.16"
description: "The Log4j library is vulnerable to RCE on versions between 2.10 and 2.15. (TEST1)"
remediation: "Update the log4j library to version 2.16 or set log4j2.formatMsgNoLookups to true if possible."
condition: none
rules:
- 'c:powershell -command "$G = Get-ChildItem -Path ''C:\'' -ErrorAction Ignore -Recurse -Filter "*log4j*.jar" | select -ExpandProperty FullName; IF ($G -ne $null) {$array = $G.Split([Environment]::NewLine); FOR ($i = 0; $i -le $array.count; $i+=1){tar -O -xf $array[$i] | Select-String -Pattern "Implementation-Version:"}}" -> r: 2.10.| 2.11.| 2.12.| 2.13.| 2.14.| 2.15.'
- id: 10001
title: "Ensure Java is not running or is properly configured"
description: "The Log4j library is vulnerable to RCE on versions between 2.10 and 2.15."
remediation: "Update the log4j library to version 2.16 or set log4j2.formatMsgNoLookups to true if possible."
condition: any
rules:
- 'c:tasklist -> r:java'
Reference:
I hope this helps. Please let us know if you have any questions!
Reply all
Reply to author
Forward
0 new messages