Java Hunting

-
Have you ever meet anyone with Java installed across their systems and a clean vulnerability scan? Me neither. I recently set off on a journey to cleanse Java from my environment. The biggest challenge so far has been how to find out who actually uses something that relies on Java. 

I have used the System Center Dudes Java Inventory and Metering report for ages, but I wanted to get more data to confirm what I was seeing. My good friends/coworkers over on the security team suggested using Microsoft Defender Advanced Hunting to track down usage of Java. It can do that?!

Microsoft Defender Advanced Hunting is based on Kusto Query Language (KQL) so if you're familiar with Config Manager's CMPivot, you should be able to jump right in and be an Advanced Hunting pro. Advanced Hunting allows you to query the entire life of a computer as far back as 30 days. 

For my Java hunting needs, I wrote a query that is looking for anytime the java.exe or javaw.exe process ran. The query shows me the device name, OS, what kicked off the call to Java, and where Java is actually running from.This query and a couple others I made are on my GitHub at https://github.com/rudybankson/DefenderAdvancedHunting.

DeviceProcessEvents | join DeviceInfo on DeviceName | where FileName contains "java.exe" or FileName contains "javaw.exe" | where OSPlatform !contains "server" | summarize count() by DeviceName, OSPlatform, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName


This query takes about 2.7 seconds to run covering a 7 day period for my fleet of around 20,000 devices. I'm trying to avoid boiling the ocean so I'm taking the results of this list and importing the devices into a Config Manager Device Collection which will be allowed to keep Java for now. If a system isn't in that "keepers" collection for Java, I run a script (from Config Manager either as a package or a Run Script action) that removes Java. 

You can save queries you have made to a "My Queries" folder visible only to you or a "Shared Queries" folder visible to others in your organization. If you want to share a specific query with a coworker, there is a "Share Link" button making it easy to ensure they get the right query. You can change the time from the top right of the query to cover as much as 30 days. Basic info on syntax is available in the Getting Started tab.


I have this query along with two others on my GitHub. One of the others is a summary that shows all instances of Java running but it is for the overall environment and not by individual computer. The other of the others is a query that shows you any process run from either of the main Java install folders in Program Files / Program Files (x86). You could easily adapt these queries to find usage data on nearly any application in your environment. 

Godspeed on your journey to eliminating Java vulnerabilities in your environment! Happy hunting!

Comments

Post a Comment

Popular posts from this blog

CMPivot to check Services and start them (with a little help)

-
Image
Have you ever needed to get a really fast real-time look at if a service is running on a set of servers or workstations? Open CMPivot against a collection, type in your query, and send it. Seconds later you get real-time answers to your query for any online device. Queries for CMPivot run on 42 devices at once, until all devices you're querying have responded.  The last time my organization did server updates, I (and a trusty super awesome coworker) had to verify if a couple of SQL services were running on a small collection of servers. As we were manually checking these one by one, I came up with the idea that it would be incredibly helpful to use CMPivot.  The below query in CMPivot will return all devices where a SERVICE with the name containing SQL is NOT RUNNING and the service's start type is AUTO. In other words, if a service with SQL in the same is supposed to be automatically running and it's not, this query tells us. Service | where Name contains 'sql'
Read more

Run Scripts with Parameters in MEMCM (R.I.P. SCCM)

-
Image
How do you use Parameters in MEMCM's (R.I.P. SCCM) Run Scripts? How do you use Parameters on the Run Scripts  feature? You get three guesses, but the first two don't count. That's right, you create a script with standard PowerShell Parameters and you build it out in MEMCM. In your MEMCM console, navigate to Software Library > Overview > Scripts. If you're not familiar with Run Scripts  in MEMCM, check out my previous Blog articles on it. Click on Create Script . In the Create Script Wizard  that pops up input a Script Name , pick between PowerShell or PowerShell in your Script Language , import or paste in your script with Parameters, and click on Next . My demo script for this article ( scroll alllll the way down, it's at the bottom ) is about an 8 out of 10 on the cool factor, and about a 3 out of 10 on the usefulness factor. Long story short, the script will make a computer talk. There are two Parameters that you can input, one for "what do y
Read more

SCCM CMPivot and Run Scripts

-
Image
What is CMPivot? What are Scripts? Why do I care about either of them? I recently attended MMS 2019 and took a great session from Jason Sandys and Tom Degreef on CMPivot and Run Scripts. They dove deep into the technical aspects of both of these somewhat new "fast channel" features of SCCM. Full disclaimer: I do not know everything and I may occasionally not know as much as you. Test everything you see here on a LAB environment and make sure you fully understand it. If you have any suggestions for improving this post, please feel free to drop a comment and I'll give you some kudos for your edit. Over simplified, CMPivot is a near real-time (not milliseconds, but usually seconds, and definitely no more than a few minutes) way to query information about your systems. You can find out literally anything about any system within your reach. Scripts pairs nicely with CMPivot because it is a real-time way to run scripts against your query results, or just another old col
Read more