/build/static/layout/Breadcrumb_cap_w.png

How to Detect Log4J vulnerabilities in your organization

Hi,

I just finished deploying this method for Windows devices in my company, figure I'd share to save some time for everyone else.


Deploy this script to all your Windows machines. It will write the path of any affected .jar files to a text. The text can subsequently be read into a custom inventory item using the rule: ShellCommandTextReturn(cmd.exe /c type C:\programdata\quest\kace\customdata\log4jclass.txt)

$path="$ENV:ProgramData\Quest\KACE\"
$foldername = "customdata"
$filename = "log4jclass.txt"
$affected = Get-PSDrive -PSProvider FileSystem | foreach { (gci ($_.Root) -rec -force -include *.jar -ea 0 | foreach { select-string "JndiLookup.class" $_ | select-object -First 1 } | select -exp Path) }

if ($affected.Count -ne 0) {
    New-Item -Path $path -Name $foldername -ItemType "directory" -Force
    $affected | out-file $path\$foldername\$filename
}
elseif ($affected.Count -eq 0) {
    try { Remove-Item -path $path\$foldername\$filename -ErrorAction Stop }
    catch {}  
}

2 Comments   [ + ] Show comments
  • Thanks for this script, it will be very useful. However I'm having an issue when trying to deploy it via Kace. If I run this locally it works fine, but if I deploy it via Kace using the "local system" permissions I get "Access is denied" errors when it runs. I have other scripts in Kace that run properly using those permissions.
    I'm sure it's something simple but I just don't know enough about scripting yet to figure it out on my own.

    This is the output log for the failed attempt:

    gci : Access is denied
    At C:\ProgramData\Quest\KACE\scripts\466\detectlog4j.ps1:4 char:61
    + ... m | foreach { (gci ($_.Root) -rec -force -include *.jar -ea 0 | forea ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetChildItemCommand - ScottAday 5 months ago
  • Do you have mapped network drives? Local system won't get access to those, but running it manually in a user context will if you have permissions to that drive. Run Get-PSDrive -PSProvider FileSystem and see what it returns. - jlfrank 5 months ago

Answers (2)

Posted by: Nico_K 5 months ago
Red Belt
0

nice but would be better as "Blog" in the "Blog" section.

Thanks!

Posted by: binuani 4 months ago
Fourth Degree Green Belt
0

I got an error

elseif : The term 'elseif' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path

was included, verify that the path is correct and try again.

At line:1 char:1

+ elseif ($affected.Count -eq 0) {

+ ~~~~~~

    + CategoryInfo          : ObjectNotFound: (elseif:String) [], CommandNotFoundException

    + FullyQualifiedErrorId : CommandNotFoundException

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ