Uses the Log4Shell scanner of Lunasec to scan the file systems of all drives of the host for any sign of vulnerabilities related to Log4shell
name: Generic.Detection.LunasecLog4shell
author: "Marinus Boekelo & Noël Keijzer - Northwave CERT"
description: |
Uses the Log4Shell scanner of Lunasec to scan the file systems of
all drives of the host for any sign of vulnerabilities related to
Log4shell
tools:
- name: log4shell_linux_amd64
github_project: lunasec-io/lunasec
github_asset_regex: Linux_x86_64
serve_locally: true
- name: log4shell_linux_x86
github_project: lunasec-io/lunasec
github_asset_regex: Linux_i386
serve_locally: true
- name: log4shell_windows_amd64
github_project: lunasec-io/lunasec
github_asset_regex: Windows_x86_64
serve_locally: true
- name: log4shell_windows_x86
github_project: lunasec-io/lunasec
github_asset_regex: Windows_i386
serve_locally: true
reference:
- https://github.com/lunasec-io/lunasec/releases/
precondition: SELECT OS From info() where OS = "windows" or OS = "linux"
required_permissions:
- EXECVE
parameters:
- name: ToolInfo
description: Override Tool information.
sources:
- query: |
LET os_info <= SELECT Architecture, OS FROM info()
// Get the path to the binary.
LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName= "log4shell_" + os_info[0].OS + "_" + os_info[0].Architecture,
ToolInfo=ToolInfo)
// Select the Disks to scan
LET disks = if(condition=(os_info[0].OS="windows"),
then= {
SELECT Mountpoint + "\\\\" as Mountpoint
FROM filesystems()
},
else={
SELECT "/" as Mountpoint
FROM scope()
})
// Scan every disk
LET results = SELECT * FROM foreach(row=disks,
query={
SELECT parse_json(data=Stdout) AS record
FROM execve(argv=[bin[0].FullPath,"scan","--json",Mountpoint], sep="\n")
WHERE Stdout
})
// output rows
SELECT * FROM foreach(row= results,
query={ SELECT * FROM record })