Log4j Evaluations with ASGARD

by Dec 17, 2021

We’ve created two ASGARD playbooks that can help you find Log4j libraries affected by CVE-2021-44228 (log4shell) and CVE-2021-45046 in your environment. 

Both playbooks can be found in our public Github repository

We’ve created a playbook named “log4j-analysis” that helps you find instances that use versions of “log4j”. An additional evaluation script can be used to process the ASGARD playbook results and distinguish between affected and unaffected versions. 

Another playbook named “log4shell-detector” allows you to run a script provided by our head of research on all Linux systems to detect exploitation attempts in log files.

The results of the evaluation script that processes the results of the “log4j-analysis” playbook look like this. 

New Lab License Feature: Audit Trail

We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.

The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.

We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.

If you have questions about these features or want to report any issues, please join our community Discord server.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner