← Back to Explore
jamf_protectinformationalTTP
Known Vulnerable Log4j Jar Installation
This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks.
Detection Query
$event.type == 0 AND $event.path.pathExtension ==[cd] "jar" AND $event.path MATCHES ".*(apache-)?log4j-(\\d+(\\.|-)){1,3}((rc|beta)\\d+-)?(bin|alpha\\d+(-bin)?)/log4j-core-(?!2\\.3\\.[1-9]|2\\.17\\.[0-9]|2\\.12\\.[3-9])(\\d+(\\.|-)?){1,3}((alpha|beta|rc)\\d+)?\.jar"Author
Jamf
Data Sources
File System EventsmacOS Endpoint Security
Platforms
macos
Tags
System Visibility
Raw Content
---
name: KnownVulnerableLog4jJarInstallation
uuid: 73647f5a-d508-4315-96fd-72798b3f82ea
longDescription: This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks.
level: 0
inputType: GPFSEvent
tags:
snapshotFiles: []
filter: $event.type == 0 AND
$event.path.pathExtension ==[cd] "jar" AND
$event.path MATCHES ".*(apache-)?log4j-(\\d+(\\.|-)){1,3}((rc|beta)\\d+-)?(bin|alpha\\d+(-bin)?)/log4j-core-(?!2\\.3\\.[1-9]|2\\.17\\.[0-9]|2\\.12\\.[3-9])(\\d+(\\.|-)?){1,3}((alpha|beta|rc)\\d+)?\.jar"
actions:
- name: Log
context: []
categories:
- System Visibility
version: 1
severity: Informational
shortDescription: A .jar file has been created on the system.
label: Known Vulnerable Log4j Jar Installation
remediation: Review and cleanup the created .jar file.
MitreCategories: null