Have you ever meet anyone with Java installed across their systems and a clean vulnerability scan? Me neither. I recently set off on a journey to cleanse Java from my environment. The biggest challenge so far has been how to find out who actually uses something that relies on Java.
I have used the System Center Dudes Java Inventory and Metering report for ages, but I wanted to get more data to confirm what I was seeing. My good friends/coworkers over on the security team suggested using Microsoft Defender Advanced Hunting to track down usage of Java. It can do that?!
Microsoft Defender Advanced Hunting is based on Kusto Query Language (KQL) so if you're familiar with Config Manager's CMPivot, you should be able to jump right in and be an Advanced Hunting pro. Advanced Hunting allows you to query the entire life of a computer as far back as 30 days.
For my Java hunting needs, I wrote a query that is looking for anytime the java.exe or javaw.exe process ran. The query shows me the device name, OS, what kicked off the call to Java, and where Java is actually running from.This query and a couple others I made are on my GitHub at https://github.com/rudybankson/DefenderAdvancedHunting.
DeviceProcessEvents | join DeviceInfo on DeviceName | where FileName contains "java.exe" or FileName contains "javaw.exe" | where OSPlatform !contains "server" | summarize count() by DeviceName, OSPlatform, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName
This query takes about 2.7 seconds to run covering a 7 day period for my fleet of around 20,000 devices. I'm trying to avoid boiling the ocean so I'm taking the results of this list and importing the devices into a Config Manager Device Collection which will be allowed to keep Java for now. If a system isn't in that "keepers" collection for Java, I run a script (from Config Manager either as a package or a Run Script action) that removes Java.
You can save queries you have made to a "My Queries" folder visible only to you or a "Shared Queries" folder visible to others in your organization. If you want to share a specific query with a coworker, there is a "Share Link" button making it easy to ensure they get the right query. You can change the time from the top right of the query to cover as much as 30 days. Basic info on syntax is available in the Getting Started tab.
I have this query along with two others on my GitHub. One of the others is a summary that shows all instances of Java running but it is for the overall environment and not by individual computer. The other of the others is a query that shows you any process run from either of the main Java install folders in Program Files / Program Files (x86). You could easily adapt these queries to find usage data on nearly any application in your environment.
Godspeed on your journey to eliminating Java vulnerabilities in your environment! Happy hunting!
Popular posts from this blog
How do you use Parameters in MEMCM's (R.I.P. SCCM) Run Scripts? How do you use Parameters on the Run Scripts feature? You get three guesses, but the first two don't count. That's right, you create a script with standard PowerShell Parameters and you build it out in MEMCM. In your MEMCM console, navigate to Software Library > Overview > Scripts. If you're not familiar with Run Scripts in MEMCM, check out my previous Blog articles on it. Click on Create Script . In the Create Script Wizard that pops up input a Script Name , pick between PowerShell or PowerShell in your Script Language , import or paste in your script with Parameters, and click on Next . My demo script for this article ( scroll alllll the way down, it's at the bottom ) is about an 8 out of 10 on the cool factor, and about a 3 out of 10 on the usefulness factor. Long story short, the script will make a computer talk. There are two Parameters that you can input, one for "what do y
Have you ever needed to get a really fast real-time look at if a service is running on a set of servers or workstations? Open CMPivot against a collection, type in your query, and send it. Seconds later you get real-time answers to your query for any online device. Queries for CMPivot run on 42 devices at once, until all devices you're querying have responded. The last time my organization did server updates, I (and a trusty super awesome coworker) had to verify if a couple of SQL services were running on a small collection of servers. As we were manually checking these one by one, I came up with the idea that it would be incredibly helpful to use CMPivot. The below query in CMPivot will return all devices where a SERVICE with the name containing SQL is NOT RUNNING and the service's start type is AUTO. In other words, if a service with SQL in the same is supposed to be automatically running and it's not, this query tells us. Service | where Name contains 'sql'
What is Client Notification? Client Notification in SCCM is one of the most powerful features of SCCM that most people never know they use on a regular basis. In SCCM 2012 SP1, Client Notification was introduced to help get rid of the S low M oving S oftware name and help get SCCM into the business of real-time actions. Client Notification consists of a Notification Manager, a Notification Server, and a Notification Agent which is part of CCMEXEC on the client. The Notification Agent on the client attempts to initiate communication with the Notification Server (your Management Point aka MP) via TCP on port 10123 and it keeps this “conversation” alive checking in every 15 minutes. If TCP on port 10123 isn’t available, the client fails over to using HTTP/HTTPS on port 80/443 and this communication occurs every 5 minutes. DNS Resolution from the MP to the Client is NOT required, because the client is initiating the communication with the MP. As long as the client can resolve