EXPLORE
← Back to Explore
jamf_protectinformationalTTP

Known Vulnerable Log4j Jar Installation

This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks.

Detection Query

$event.type == 0 AND $event.path.pathExtension ==[cd] "jar" AND $event.path MATCHES ".*(apache-)?log4j-(\\d+(\\.|-)){1,3}((rc|beta)\\d+-)?(bin|alpha\\d+(-bin)?)/log4j-core-(?!2\\.3\\.[1-9]|2\\.17\\.[0-9]|2\\.12\\.[3-9])(\\d+(\\.|-)?){1,3}((alpha|beta|rc)\\d+)?\.jar"

Author

Jamf

Data Sources

File System EventsmacOS Endpoint Security

Platforms

macos

Tags

System Visibility
Raw Content
---
name: KnownVulnerableLog4jJarInstallation
uuid: 73647f5a-d508-4315-96fd-72798b3f82ea
longDescription: This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks.
level: 0
inputType: GPFSEvent
tags:
snapshotFiles: []
filter: $event.type == 0 AND
  $event.path.pathExtension ==[cd] "jar" AND
  $event.path MATCHES ".*(apache-)?log4j-(\\d+(\\.|-)){1,3}((rc|beta)\\d+-)?(bin|alpha\\d+(-bin)?)/log4j-core-(?!2\\.3\\.[1-9]|2\\.17\\.[0-9]|2\\.12\\.[3-9])(\\d+(\\.|-)?){1,3}((alpha|beta|rc)\\d+)?\.jar"
actions:
  - name: Log
context: []
categories:
  - System Visibility
version: 1
severity: Informational
shortDescription: A .jar file has been created on the system.
label: Known Vulnerable Log4j Jar Installation
remediation: Review and cleanup the created .jar file.
MitreCategories: null