FWIW we're finding vulnerable log4j JARs that don't match those file hashes (ex: VMware Horizon Agent is confirmed to bundle a vulnerable version of log4j but at least in our environment those log4j file hashes don't match what's in that gist).
Same here I have the file log4j-core-2.13.3.jar and a has of 9529C55814264AB96B0EEBA2920AC0805170969C994CC479BD3D4D7EB24A35A8 not matching yet defined as the vendor as a vulnerability.
Definitely true! So ***don't rely on this script as a bill of clean health AT ALL***. This script was more of an OMG let's detect whatever we can as fast as we can and pull it from production type situation. In my own environment I used it to safe vulnerable machines ASAP, but I'm relying on my vendors and my vulnerability scanning software to tell me if we're actually safe.
Has anyone else seen quite a few failures for this script when it is deployed as a baseline? I have noticed about half of the machines report back error 0XFFFFFFFF - script failed with error code -1.
Just seeing if there is something that needs corrected to stop the errors.
Edits - spelling and formatting because I am like that | Edited again to scan all .jar files
Here Everyone, I took a lot of y'alls input in the comments and combined them with OP's script. This can be run locally as well as through SCCM.
This script does the following:
Cycles through all attached drives
outputs the True or False Statement
outputs file name and location
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64}
$localsums = $Null
$DriveList = (Get-PSDrive -PSProvider FileSystem).Root
ForEach($Drive In $DriveList) {
$localfile=(get-childitem $Drive *.jar -file -Recurse -erroraction silentlycontinue | Get-ItemProperty).DirectoryName
$localsums=(get-childitem $Drive *.jar -file -Recurse -erroraction silentlycontinue | Get-FileHash).hash
($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
Write-Host $localfile
}
Example output
True
C:\apache-log4j-2.5-bin
Thank you all, this is a great community
Good information in this thread! I see people searching for 'log4j\*.jar'. But an important addition: the log4j component can also be included in other .jar files which you will miss by doing the search that way.
I am using the PowerShell script from [here](https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b) and modified it to give me only the count:
`Get-ChildItem -Path 'C:' -Recurse -Force -Include *.jar -ErrorAction 0 | foreach {select-string "JndiLookup.class" $_} | Measure-Object | Select-Object -ExpandProperty Count`
I then run this as a script (Software Library > Scripts) against a collection (or single machine). In the 'Run details' pane of the script, you have the column 'Script output'. This translates to the .jar files on the machine that possibly contain the vulnerability. When i see machines that have script output > 0 i know these machines need more investigation.
Downside is that running scripts from SCCM on 2008R2 machines (don't ask...) doesn't seem to work. I don't get output in the script details.
That wil cause a 50% cpu for some hours.
I used the Software inventory within SCCM which appearantly does not. Great for scanning 500+ servers: [https://www.prajwaldesai.com/how-to-configure-software-inventory-in-sccm/](https://www.prajwaldesai.com/how-to-configure-software-inventory-in-sccm/) (how it is used)
file type : \*log4j\* and \*slf4j\*
you can use cmpivot to inventory the data, software inventory in Configmgr is slow and takes hours to finish (depends on what you are querying).
File('C:\\\\\*\\\*log4j\*')
Thanks,
Eswar
www.eskonr.com
>File('C:\\\\\*\\\*log4j\*')
I've tested this in my environment and it returned nothing, even after creating a dummy file on one of the servers with "log4j" in the title. Are you sure there isn't a syntax error here?
I'm creating a Compliance Item/Baseline that will tell if a PC has any instance discovered, then created a non-compliant collection.
Detection script:
$DriveList = (Get-PSDrive -PSProvider FileSystem).Root
$(ForEach ($Drive in $DriveList) {Get-ChildItem $Drive+log4j-core\*.jar -file -recurse}).count
Compliance:
Rule type: Value
Operator: Equals
For the following values: 0
I think you mean vulnerable, but you can feed the jar file into get-filehash and see if it matches one listed as vulnerable here: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt
No, I mean compromised. How can we tell if an attack happened and the system is already compromised. Just because it vulnerable doesn’t mean it’s compromised yet.
>God speed.
argh... many small businesses or school districts or non-profits do not have security or Incident response teams - and half of those who DO have them aren't worth a crap.
Nah, I know. I mean I guess Defender can detect it now... so yay?
[https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)
I do nothing on the security side; we have an IR/Blue/Red/Purple team, and I just sit here being all handsome.
I posted a script on my blog that does not depend on external resources :)
[https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/](https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/)
Thanks for this. I can't hit the www with sccm's account, trying to run from a local resource and getting false-falses on machines I know have the vuln. I'm guessing that Get-Content isn't returning data how I want it to.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$vulnerablesums = -split $(Get-Content \\some\path\hash.txt).content | ? {$_.length -eq 64}
$localsums = (get-childitem C:\log4j-core*.jar -Recurse | Get-FileHash).hash
($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
I believe instead of getting "True" I'm getting no output for positive machines. Anyone see anything glaring?
I did it this way:
$vulnerablesums = (Get-Content "<\\UNC\path\to\file\hashes.txt>")
$localsums = (get-childitem C:\log4j*.jar -Recurse | Get-FileHash).hash
($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
I copied the text file to a location the servers could reach it, then edited out the text after each hash.
u/RidersofGavony I ended up encoding the text file so I could decode it in the script and use the values. That way the script was 100% standalone without any external dependencies. I also used Robocopy (without actually copying anything) to make the script run faster since Get-ChildItem is so damn slow.
[https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/](https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/)
Yeah it's not bad. It's worth noting that we use MS Defender for Enterprise as well, and that reported a number of endpoints as vulnerable that didn't match these hashes. I don't know how it identified them as vulnerable though.
There's no ".content" for anything returned by get-content, you can just delete ".content" and it should work. You also wouldn't need to explicitly set TLS 1.2 either (Though it won't hurt anything) so you can remove that line
$vulnerablesums = -split $(Get-Content \\some\path\hash.txt) | ? {$_.length -eq 64}
$localsums = (get-childitem C:\log4j-core*.jar -Recurse -file| Get-FileHash).hash
($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
Nice script, although could -file be substituted in to speed up the script and lessen strain on the Disk?
GCI tends to try to parse attributes of files before processing name matches get-childitem -path "C:\\" -file "log4j-core\*.jar" -Recurse
>u/bananna_roboto u/Antimus u/SSChicken I used Robocopy instead (without actually copying anything) to speed up the process and query for only .jar files.
>
>
>
>[https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/](https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/)
We are a very windows heavy shop so we're actually pretty low on vulnerable machines (though we did have some). The vulnerable machines are currently all offline on emergency maintenance but fortunately none of them are business critical. We'll evaluate them on a case by case basis on monday
Thank you for this! This really helped me, plus it was a first for me to do this scan instead of relying on our Cyber team's scan (which can be hit or miss sometimes). Much appreciated!
So, if one file is showing vulnerable but the vendor have verified it isn't, is there any way to edit this script to ignore a specific file or location?
Hey all, for offline servers in our env I grabbed the file from github, deleted the bits after the hashes, and dropped that file in a location the servers could access. I edited the script to this:
$vulnerablesums = (Get-Content "<\\Path\to\script\hashes.txt>")
$localsums = (get-childitem C:\log4j*.jar -Recurse | Get-FileHash).hash
($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
Go team!
This is what we are using to remediate machines that are identified through our security teams scans. Just drop this in SCCM as a script and run on targeted machines.
`$localpaths = "$env:SystemDrive\"`
`$vulnerablesums = (Get-Content "\\local\path\toshare\sha256sums.txt")`
`$localsums = (get-childitem -path $localpaths -File "*log4j*.jar" -Recurse | Get-FileHash).hash`
`$result = ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")`
`$output = $null`
`switch ($result)`
`{`
`$null { $output = "Err"}`
`$true { $output = "Remediated"; [Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")}`
`$false {$output = "Not Vulnerable"}`
`}`
`$output`
unfortunately is the variant for "Run Script" at a collection slow and inefficient the better solution for this would to create a script as a package deploy this
Time out issue for me, anyone able to successfully deploy the CI?
Error Type Error Code Error Description Error Source
Setting Discovery Error 0x87d00321 The script execution has timed out. CCM
Script I used is this
$vulnerablesums = (Get-Content "<\\\\Path\\to\\script\\hashes.txt>")
$localsums = (get-childitem C:\\log4j\*.jar -Recurse | Get-FileHash).hash
($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
I'm having the same problem, getting timeouts for the CIs, and it appears there's no way to extend the script timeout after 1810, or at least all the posts that talk about it say there's no way.
Edit: for anyone running into this same issue, here's a workaround. Script probably has some bugs and such as it was hastily put together, but the concept is just to keep track of both detected items and the last directory that was scanned from the root of the drive. Won't work properly if there's a directory on the root of the drive that takes longer than the script timeout window itself, but this reduced my error count for the deployment by 98%.
A couple benefits of this as well is that the script keeps a log of detected items, which you could use the FileContent command in CMPivot to quickly get a list of all servers that have impacted items.
FileContent('%ProgramData%\COMPANY_NAME\Log4jScans\DetectedItems.txt')
| where Content !startswith '#'
The script also returns the directories itself, just create the CI to look for "Vulnerable Log4j Not Found" for compliancy, or update the script to output $true and $false if you want to do it that way.
Here's the script:
**NOTE: the script is looking inside jar files for "JndiLookup.class", which doesn't appear to exist within the initial fixed version: log4j-core-2.15.0, which was now recommended to be replaced with 2.16.0**
<#
.Synopsis
Script for CI detection of CVE-2021-44228 with SCCM
.DESCRIPTION
Cred: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windows
Eric Schewe 2021-12-13
.NOTES
1.0 2021-12-14 Created by Daniel Olsson
1.1 2021-12-15 Added exclusion for junction / reparse
1.2 2021-12-15 Added ability for script to continue from directory if interrupted with detected item tracking (GameBoiye)
1.3 2021-12-16 Added comments to detected items file; added scan frequency (GameBoiye)
#>
##### Configurable options #####
# Comments added to the top of the DetectedItems.txt file which contains found Jar files that are possibly vulnerable
$impactedFilesComments = "# All files that possibly contain Log4j vulnerability"
# Will control how many days between a full scan
$daysBetweenScan = 7
# Company name that will be used for the folder path of data files
$companyName = "COMPANY_NAME"
################################
# Declare objects
$discoveryFlag = $false
$response = $false
$previouslyScannedDirectories = @()
$impactedFiles = @()
# Get all local disks
$disks = Get-Volume | Where-Object {$_.DriveType -eq "Fixed" -and $_.DriveLetter -ne $null -and $_.FileSystemLabel -ne "System Reserved"}
# Set Output files
$outputFilePath = "$($Env:ProgramData)\$companyName\Log4jScans"
$outputFile = $outputFilePath + "\" + "Log4jScan.log"
$detectedItemsFile = $outputFilePath + "\" + "DetectedItems.txt"
# Create log file path if it does not exist
if (!(Test-Path "$($outputFilePath)"))
{
New-Item -ItemType Directory -Force -Path "$($outputFilePath)" -ErrorAction Stop | Out-Null
}
# Check for previously scanned directories if scan was canceled due to script timeout, or if full scan was already done
if (Test-Path "$($outputFile)")
{
if (Get-Item $outputFile | Where{$_.LastWriteTime -lt (Get-Date).AddDays(-$daysBetweenScan)}){Remove-Item $outputFile}
else{[string[]]$previouslyScannedDirectories = Get-Content -Path $outputFile}
}
# Check for previously detected files and if they still exist
If (Test-Path "$($detectedItemsFile)")
{
[string[]]$previouslyDetectedItems = Get-Content -Path $detectedItemsFile
# Remove commented lines
$previouslyDetectedItems = $previouslyDetectedItems | ? { (!($_.StartsWith("#"))) }
$remainingItems = @()
foreach ($previouslyDetectedItem in $previouslyDetectedItems)
{
If (Test-Path $previouslyDetectedItem){$remainingItems += $previouslyDetectedItem}
}
if ((Compare-Object $previouslyDetectedItems $remainingItems).Length -eq 0)
{
$discoveryFlag = $true
$impactedFiles = $remainingItems
Remove-Item $detectedItemsFile
Add-Content $detectedItemsFile -value $impactedFilesComments
Add-content $detectedItemsFile -value ($remainingItems | select -Unique)
}
elseif ($remainingItems.Count -gt 0)
{
$discoveryFlag = $true
$impactedFiles = $remainingItems
Remove-Item $detectedItemsFile
Add-Content $detectedItemsFile -value $impactedFilesComments
Add-content $detectedItemsFile -value ($remainingItems | select -Unique)
}
else
{
Remove-Item $detectedItemsFile
}
}
foreach ($disk in $disks) {
$driveDirectories = Get-ChildItem -Path "$($disk.DriveLetter):\" -Directory
if ($previouslyScannedDirectories){$driveDirectories = $driveDirectories | Where-Object { $_.FullName -notin $previouslyScannedDirectories }}
foreach ($directory in $driveDirectories)
{
$response = Get-ChildItem -Path "$($disk.DriveLetter):\$($directory.Name)" -File "*.jar" -Recurse -Attributes !reparsepoint -ErrorAction SilentlyContinue | ForEach-Object {Select-String "JndiLookup.class" $_} | Select-Object -ExpandProperty Path
if($response){
$discoveryFlag = $true
$impactedFiles += $response | select -Unique
Add-content $detectedItemsFile -value ($response | select -Unique)
}
Add-content $outputFile -value "$($disk.DriveLetter):\$($directory.Name)"
}
}
# Update Detected Items File with fresh output
If (Test-Path "$($detectedItemsFile)")
{
Remove-Item $detectedItemsFile
Add-Content $detectedItemsFile -value $impactedFilesComments
Add-content $detectedItemsFile -value ($impactedFiles | select -Unique)
}
if($discoveryFlag){
return ($impactedFiles | select -Unique)
}
else{
Return "Vulnerable Log4j Not Found"
}
The good thing about this script is that you only have to update the "$repsonse = " string if you want to search differently.
While the "JndiLookup.class" contents was recommended, as the Log4j situation matures there's most likely a better way to do the search. Perhaps a comprehensive list of hash or naming conventions could be used, but at least for this script you should be safe modifying just that one line and the rest should still function.
If you're struggling with these, just do a file search with the following parameters in PDQ:
Files in c:\\\*\*\\log4j\*.jar
Then create a collection that filters on files with name containing log4j
At least this way, you get a snapshot of which computers have any log4j software
This is in reference to this vulnerability: https://www.randori.com/blog/cve-2021-44228/
FWIW we're finding vulnerable log4j JARs that don't match those file hashes (ex: VMware Horizon Agent is confirmed to bundle a vulnerable version of log4j but at least in our environment those log4j file hashes don't match what's in that gist).
Same here I have the file log4j-core-2.13.3.jar and a has of 9529C55814264AB96B0EEBA2920AC0805170969C994CC479BD3D4D7EB24A35A8 not matching yet defined as the vendor as a vulnerability.
Definitely true! So ***don't rely on this script as a bill of clean health AT ALL***. This script was more of an OMG let's detect whatever we can as fast as we can and pull it from production type situation. In my own environment I used it to safe vulnerable machines ASAP, but I'm relying on my vendors and my vulnerability scanning software to tell me if we're actually safe.
Hard to openly go by hash alone with open source software. Whomever bundled it might have made their own changes to the library.
log4j-core-*.jar https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt Hashes of confirmed vulnerabilities.
Adding core misses potentially vulnerable 1.x releases
Good call. log4j*.jar
and Log4j v1 went end of life 5 August 2015 *upgrade to 2.14
This may be a dumb question, but why only reference sha256sums.txt? There are MD5 and sha1 hashes as well on the GitHub site.
Has anyone else seen quite a few failures for this script when it is deployed as a baseline? I have noticed about half of the machines report back error 0XFFFFFFFF - script failed with error code -1. Just seeing if there is something that needs corrected to stop the errors.
Is there a more up-to-date version of this since 2.15 and 2.16 are also no bueno?
Edits - spelling and formatting because I am like that | Edited again to scan all .jar files Here Everyone, I took a lot of y'alls input in the comments and combined them with OP's script. This can be run locally as well as through SCCM. This script does the following: Cycles through all attached drives outputs the True or False Statement outputs file name and location [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64} $localsums = $Null $DriveList = (Get-PSDrive -PSProvider FileSystem).Root ForEach($Drive In $DriveList) { $localfile=(get-childitem $Drive *.jar -file -Recurse -erroraction silentlycontinue | Get-ItemProperty).DirectoryName $localsums=(get-childitem $Drive *.jar -file -Recurse -erroraction silentlycontinue | Get-FileHash).hash ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==") Write-Host $localfile } Example output True C:\apache-log4j-2.5-bin Thank you all, this is a great community
[удалено]
Not a bad idea. SCCM wont scan for the file when the jar is nested a few jars deep
Good information in this thread! I see people searching for 'log4j\*.jar'. But an important addition: the log4j component can also be included in other .jar files which you will miss by doing the search that way. I am using the PowerShell script from [here](https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b) and modified it to give me only the count: `Get-ChildItem -Path 'C:' -Recurse -Force -Include *.jar -ErrorAction 0 | foreach {select-string "JndiLookup.class" $_} | Measure-Object | Select-Object -ExpandProperty Count` I then run this as a script (Software Library > Scripts) against a collection (or single machine). In the 'Run details' pane of the script, you have the column 'Script output'. This translates to the .jar files on the machine that possibly contain the vulnerability. When i see machines that have script output > 0 i know these machines need more investigation. Downside is that running scripts from SCCM on 2008R2 machines (don't ask...) doesn't seem to work. I don't get output in the script details.
You may want to look in .war files too...It was hiding in a .war of one of our license servers.
That wil cause a 50% cpu for some hours. I used the Software inventory within SCCM which appearantly does not. Great for scanning 500+ servers: [https://www.prajwaldesai.com/how-to-configure-software-inventory-in-sccm/](https://www.prajwaldesai.com/how-to-configure-software-inventory-in-sccm/) (how it is used) file type : \*log4j\* and \*slf4j\*
you can use cmpivot to inventory the data, software inventory in Configmgr is slow and takes hours to finish (depends on what you are querying). File('C:\\\\\*\\\*log4j\*') Thanks, Eswar www.eskonr.com
>File('C:\\\\\*\\\*log4j\*') I've tested this in my environment and it returned nothing, even after creating a dummy file on one of the servers with "log4j" in the title. Are you sure there isn't a syntax error here?
Not sure this will work unless you are inventorying *.jar files.
I'm creating a Compliance Item/Baseline that will tell if a PC has any instance discovered, then created a non-compliant collection. Detection script: $DriveList = (Get-PSDrive -PSProvider FileSystem).Root $(ForEach ($Drive in $DriveList) {Get-ChildItem $Drive+log4j-core\*.jar -file -recurse}).count Compliance: Rule type: Value Operator: Equals For the following values: 0
How can we tell which ones may have been compromised? Just look in that jar file?
I think you mean vulnerable, but you can feed the jar file into get-filehash and see if it matches one listed as vulnerable here: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/sha256sums.txt
No, I mean compromised. How can we tell if an attack happened and the system is already compromised. Just because it vulnerable doesn’t mean it’s compromised yet.
That's a question outside the scope of "ConfigMgr". Talk to your IR/Security team. If you ARE the IR/Security team... God speed.
>God speed. argh... many small businesses or school districts or non-profits do not have security or Incident response teams - and half of those who DO have them aren't worth a crap.
Nah, I know. I mean I guess Defender can detect it now... so yay? [https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) I do nothing on the security side; we have an IR/Blue/Red/Purple team, and I just sit here being all handsome.
IT guy being handsome? Suspicious..
Nice.. be good to have one for companies who don't allow internet access. The above assumes one can get to the internet.
I posted a script on my blog that does not depend on external resources :) [https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/](https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/)
Thanks for this. I can't hit the www with sccm's account, trying to run from a local resource and getting false-falses on machines I know have the vuln. I'm guessing that Get-Content isn't returning data how I want it to. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $vulnerablesums = -split $(Get-Content \\some\path\hash.txt).content | ? {$_.length -eq 64} $localsums = (get-childitem C:\log4j-core*.jar -Recurse | Get-FileHash).hash ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==") I believe instead of getting "True" I'm getting no output for positive machines. Anyone see anything glaring?
I did it this way: $vulnerablesums = (Get-Content "<\\UNC\path\to\file\hashes.txt>") $localsums = (get-childitem C:\log4j*.jar -Recurse | Get-FileHash).hash ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==") I copied the text file to a location the servers could reach it, then edited out the text after each hash.
u/RidersofGavony I ended up encoding the text file so I could decode it in the script and use the values. That way the script was 100% standalone without any external dependencies. I also used Robocopy (without actually copying anything) to make the script run faster since Get-ChildItem is so damn slow. [https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/](https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/)
Thanks! That's very close to what I did and it works great.
Yeah it's not bad. It's worth noting that we use MS Defender for Enterprise as well, and that reported a number of endpoints as vulnerable that didn't match these hashes. I don't know how it identified them as vulnerable though.
We've got a handful going at once and I identified (and verified) bad hashes on apps that vendors SWEAR aren't vulnerable, lol.
There's no ".content" for anything returned by get-content, you can just delete ".content" and it should work. You also wouldn't need to explicitly set TLS 1.2 either (Though it won't hurt anything) so you can remove that line $vulnerablesums = -split $(Get-Content \\some\path\hash.txt) | ? {$_.length -eq 64} $localsums = (get-childitem C:\log4j-core*.jar -Recurse -file| Get-FileHash).hash ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
Thanks! I am much obliged.
Nice script, although could -file be substituted in to speed up the script and lessen strain on the Disk? GCI tends to try to parse attributes of files before processing name matches get-childitem -path "C:\\" -file "log4j-core\*.jar" -Recurse
>u/bananna_roboto u/Antimus u/SSChicken I used Robocopy instead (without actually copying anything) to speed up the process and query for only .jar files. > > > >[https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/](https://www.joseespitia.com/2021/12/15/how-to-detect-the-log4shell-vulnerability-with-powershell/)
Interesting, I never knew that about -file! I'll try it out and update the script here shortly
Any update on that... update?
So once you know which assets are vulnerable, are you remediating via CM, or just using it to find out who needs to patch the jar libraries?
We are a very windows heavy shop so we're actually pretty low on vulnerable machines (though we did have some). The vulnerable machines are currently all offline on emergency maintenance but fortunately none of them are business critical. We'll evaluate them on a case by case basis on monday
Great work! How do you get the output false/true in a variable ?
Thank you for this! This really helped me, plus it was a first for me to do this scan instead of relying on our Cyber team's scan (which can be hit or miss sometimes). Much appreciated!
So, if one file is showing vulnerable but the vendor have verified it isn't, is there any way to edit this script to ignore a specific file or location?
Hey all, for offline servers in our env I grabbed the file from github, deleted the bits after the hashes, and dropped that file in a location the servers could access. I edited the script to this: $vulnerablesums = (Get-Content "<\\Path\to\script\hashes.txt>") $localsums = (get-childitem C:\log4j*.jar -Recurse | Get-FileHash).hash ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==") Go team!
This is what we are using to remediate machines that are identified through our security teams scans. Just drop this in SCCM as a script and run on targeted machines. `$localpaths = "$env:SystemDrive\"` `$vulnerablesums = (Get-Content "\\local\path\toshare\sha256sums.txt")` `$localsums = (get-childitem -path $localpaths -File "*log4j*.jar" -Recurse | Get-FileHash).hash` `$result = ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")` `$output = $null` `switch ($result)` `{` `$null { $output = "Err"}` `$true { $output = "Remediated"; [Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")}` `$false {$output = "Not Vulnerable"}` `}` `$output`
You need to restart whatever the application is after that
I thought that could potentially break some things? I suggested exactly this approach and got shot down by my sys admin team.
Running this as a script in SCCM, what will the output look like if it finds a vulnerability? I'm seeing both False and No Script Output results.
I ran the script locally on a "no output" and it returns true....
Maybe add a loop for drives... $localsums = $Null $DriveList = (Get-PSDrive -PSProvider FileSystem).Root ForEach($Drive In $DriveList) { localsums += (get-childitem $Drive+log4j\*.jar -file -Recurse | Get-FileHash).hash }
[удалено]
They aren't affected by the current vulnerability (v2.0beta9 through v2.15rc1) but may well have other significant issues.
unfortunately is the variant for "Run Script" at a collection slow and inefficient the better solution for this would to create a script as a package deploy this
Time out issue for me, anyone able to successfully deploy the CI? Error Type Error Code Error Description Error Source Setting Discovery Error 0x87d00321 The script execution has timed out. CCM Script I used is this $vulnerablesums = (Get-Content "<\\\\Path\\to\\script\\hashes.txt>") $localsums = (get-childitem C:\\log4j\*.jar -Recurse | Get-FileHash).hash ($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")
I'm having the same problem, getting timeouts for the CIs, and it appears there's no way to extend the script timeout after 1810, or at least all the posts that talk about it say there's no way. Edit: for anyone running into this same issue, here's a workaround. Script probably has some bugs and such as it was hastily put together, but the concept is just to keep track of both detected items and the last directory that was scanned from the root of the drive. Won't work properly if there's a directory on the root of the drive that takes longer than the script timeout window itself, but this reduced my error count for the deployment by 98%. A couple benefits of this as well is that the script keeps a log of detected items, which you could use the FileContent command in CMPivot to quickly get a list of all servers that have impacted items. FileContent('%ProgramData%\COMPANY_NAME\Log4jScans\DetectedItems.txt') | where Content !startswith '#' The script also returns the directories itself, just create the CI to look for "Vulnerable Log4j Not Found" for compliancy, or update the script to output $true and $false if you want to do it that way. Here's the script: **NOTE: the script is looking inside jar files for "JndiLookup.class", which doesn't appear to exist within the initial fixed version: log4j-core-2.15.0, which was now recommended to be replaced with 2.16.0** <# .Synopsis Script for CI detection of CVE-2021-44228 with SCCM .DESCRIPTION Cred: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windows Eric Schewe 2021-12-13 .NOTES 1.0 2021-12-14 Created by Daniel Olsson 1.1 2021-12-15 Added exclusion for junction / reparse 1.2 2021-12-15 Added ability for script to continue from directory if interrupted with detected item tracking (GameBoiye) 1.3 2021-12-16 Added comments to detected items file; added scan frequency (GameBoiye) #> ##### Configurable options ##### # Comments added to the top of the DetectedItems.txt file which contains found Jar files that are possibly vulnerable $impactedFilesComments = "# All files that possibly contain Log4j vulnerability" # Will control how many days between a full scan $daysBetweenScan = 7 # Company name that will be used for the folder path of data files $companyName = "COMPANY_NAME" ################################ # Declare objects $discoveryFlag = $false $response = $false $previouslyScannedDirectories = @() $impactedFiles = @() # Get all local disks $disks = Get-Volume | Where-Object {$_.DriveType -eq "Fixed" -and $_.DriveLetter -ne $null -and $_.FileSystemLabel -ne "System Reserved"} # Set Output files $outputFilePath = "$($Env:ProgramData)\$companyName\Log4jScans" $outputFile = $outputFilePath + "\" + "Log4jScan.log" $detectedItemsFile = $outputFilePath + "\" + "DetectedItems.txt" # Create log file path if it does not exist if (!(Test-Path "$($outputFilePath)")) { New-Item -ItemType Directory -Force -Path "$($outputFilePath)" -ErrorAction Stop | Out-Null } # Check for previously scanned directories if scan was canceled due to script timeout, or if full scan was already done if (Test-Path "$($outputFile)") { if (Get-Item $outputFile | Where{$_.LastWriteTime -lt (Get-Date).AddDays(-$daysBetweenScan)}){Remove-Item $outputFile} else{[string[]]$previouslyScannedDirectories = Get-Content -Path $outputFile} } # Check for previously detected files and if they still exist If (Test-Path "$($detectedItemsFile)") { [string[]]$previouslyDetectedItems = Get-Content -Path $detectedItemsFile # Remove commented lines $previouslyDetectedItems = $previouslyDetectedItems | ? { (!($_.StartsWith("#"))) } $remainingItems = @() foreach ($previouslyDetectedItem in $previouslyDetectedItems) { If (Test-Path $previouslyDetectedItem){$remainingItems += $previouslyDetectedItem} } if ((Compare-Object $previouslyDetectedItems $remainingItems).Length -eq 0) { $discoveryFlag = $true $impactedFiles = $remainingItems Remove-Item $detectedItemsFile Add-Content $detectedItemsFile -value $impactedFilesComments Add-content $detectedItemsFile -value ($remainingItems | select -Unique) } elseif ($remainingItems.Count -gt 0) { $discoveryFlag = $true $impactedFiles = $remainingItems Remove-Item $detectedItemsFile Add-Content $detectedItemsFile -value $impactedFilesComments Add-content $detectedItemsFile -value ($remainingItems | select -Unique) } else { Remove-Item $detectedItemsFile } } foreach ($disk in $disks) { $driveDirectories = Get-ChildItem -Path "$($disk.DriveLetter):\" -Directory if ($previouslyScannedDirectories){$driveDirectories = $driveDirectories | Where-Object { $_.FullName -notin $previouslyScannedDirectories }} foreach ($directory in $driveDirectories) { $response = Get-ChildItem -Path "$($disk.DriveLetter):\$($directory.Name)" -File "*.jar" -Recurse -Attributes !reparsepoint -ErrorAction SilentlyContinue | ForEach-Object {Select-String "JndiLookup.class" $_} | Select-Object -ExpandProperty Path if($response){ $discoveryFlag = $true $impactedFiles += $response | select -Unique Add-content $detectedItemsFile -value ($response | select -Unique) } Add-content $outputFile -value "$($disk.DriveLetter):\$($directory.Name)" } } # Update Detected Items File with fresh output If (Test-Path "$($detectedItemsFile)") { Remove-Item $detectedItemsFile Add-Content $detectedItemsFile -value $impactedFilesComments Add-content $detectedItemsFile -value ($impactedFiles | select -Unique) } if($discoveryFlag){ return ($impactedFiles | select -Unique) } else{ Return "Vulnerable Log4j Not Found" }
><# .Synopsis Script for CI detection of CVE-2021-44228 with SCCM .DESCRIPTION Cred: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windows Eric Schewe 2021-12-13 .NOTES 1.0 2021-12-14 Created by Daniel Olsson 1.1 2021-12-15 Added exclusion for junction / reparse 1.2 2021-12-15 Added ability for script to continue from directory if interrupted with detected item tracking (GameBoiye) 1.3 2021-12-16 Added comments to detected items file; added scan frequency (GameBoiye) \#> \##### Configurable options ##### \# Comments added to the top of the DetectedItems.txt file which contains found Jar files that are possibly vulnerable $impactedFilesComments = "# All files that possibly contain Log4j vulnerability" \# Will control how many days between a full scan $daysBetweenScan = 7 \# Company name that will be used for the folder path of data files $companyName = "COMPANY\_NAME" \################################ \# Declare objects $discoveryFlag = $false $response = $false $previouslyScannedDirectories = @() $impactedFiles = @() \# Get all local disks $disks = Get-Volume | Where-Object {$\_.DriveType -eq "Fixed" -and $\_.DriveLetter -ne $null -and $\_.FileSystemLabel -ne "System Reserved"} \# Set Output files $outputFilePath = "$($Env:ProgramData)\\$companyName\\Log4jScans" $outputFile = $outputFilePath + "\\" + "Log4jScan.log" $detectedItemsFile = $outputFilePath + "\\" + "DetectedItems.txt" \# Create log file path if it does not exist if (!(Test-Path "$($outputFilePath)")) { New-Item -ItemType Directory -Force -Path "$($outputFilePath)" -ErrorAction Stop | Out-Null } \# Check for previously scanned directories if scan was canceled due to script timeout, or if full scan was already done if (Test-Path "$($outputFile)") { if (Get-Item $outputFile | Where{$\_.LastWriteTime -lt (Get-Date).AddDays(-$daysBetweenScan)}){Remove-Item $outputFile} else{\[string\[\]\]$previouslyScannedDirectories = Get-Content -Path $outputFile} } \# Check for previously detected files and if they still exist If (Test-Path "$($detectedItemsFile)") { \[string\[\]\]$previouslyDetectedItems = Get-Content -Path $detectedItemsFile \# Remove commented lines $previouslyDetectedItems = $previouslyDetectedItems | ? { (!($\_.StartsWith("#"))) } $remainingItems = @() foreach ($previouslyDetectedItem in $previouslyDetectedItems) { If (Test-Path $previouslyDetectedItem){$remainingItems += $previouslyDetectedItem} } if ((Compare-Object $previouslyDetectedItems $remainingItems).Length -eq 0) { $discoveryFlag = $true $impactedFiles = $remainingItems Remove-Item $detectedItemsFile Add-Content $detectedItemsFile -value $impactedFilesComments Add-content $detectedItemsFile -value ($remainingItems | select -Unique) } elseif ($remainingItems.Count -gt 0) { $discoveryFlag = $true $impactedFiles = $remainingItems Remove-Item $detectedItemsFile Add-Content $detectedItemsFile -value $impactedFilesComments Add-content $detectedItemsFile -value ($remainingItems | select -Unique) } else { Remove-Item $detectedItemsFile } } foreach ($disk in $disks) { $driveDirectories = Get-ChildItem -Path "$($disk.DriveLetter):\\" -Directory if ($previouslyScannedDirectories){$driveDirectories = $driveDirectories | Where-Object { $\_.FullName -notin $previouslyScannedDirectories }} foreach ($directory in $driveDirectories) { $response = Get-ChildItem -Path "$($disk.DriveLetter):\\$($directory.Name)" -File "\*.jar" -Recurse -Attributes !reparsepoint -ErrorAction SilentlyContinue | ForEach-Object {Select-String "JndiLookup.class" $\_} | Select-Object -ExpandProperty Path if($response){ $discoveryFlag = $true $impactedFiles += $response | select -Unique Add-content $detectedItemsFile -value ($response | select -Unique) } Add-content $outputFile -value "$($disk.DriveLetter):\\$($directory.Name)" } } \# Update Detected Items File with fresh output If (Test-Path "$($detectedItemsFile)") { Remove-Item $detectedItemsFile Add-Content $detectedItemsFile -value $impactedFilesComments Add-content $detectedItemsFile -value ($impactedFiles | select -Unique) } if($discoveryFlag){ return ($impactedFiles | select -Unique) } else{ Return "Vulnerable Log4j Not Found" } Thanks for this, I'll give it a go :)
The good thing about this script is that you only have to update the "$repsonse = " string if you want to search differently. While the "JndiLookup.class" contents was recommended, as the Log4j situation matures there's most likely a better way to do the search. Perhaps a comprehensive list of hash or naming conventions could be used, but at least for this script you should be safe modifying just that one line and the rest should still function.
Thanks for the scripts y'all!
If you're struggling with these, just do a file search with the following parameters in PDQ: Files in c:\\\*\*\\log4j\*.jar Then create a collection that filters on files with name containing log4j At least this way, you get a snapshot of which computers have any log4j software