If you’re working in a business environment you want to be sure that your Windows servers are safe from log4j vulnerabilities. If you’re running some kind of management tool across all servers this is easy enough. You just need to look for systems that contain an older version of the log4j-core*.jar file.
If you’re in an organisation that isn’t running a centralised tool to look for files there is another way by using Powershell.
In this article How to: Fix or mitigate log4j vulnerabilities on Windows server I showed how to mitigate the vulnerabilities by removing the exploitable class file, but if you don’t first have a list of outdated jar files, here is how you can run a search over your servers and build a CSV of the servers and directories that need a closer look.
Import-Module ActiveDirectory
#Creates a data table and adds custom columns to it.
function createDT()
{
###Creating a new DataTable###
$tempTable = New-Object System.Data.DataTable
##Creating Columns for DataTable##
$col1 = New-Object System.Data.DataColumn(“ServerName”)
$col2 = New-Object System.Data.DataColumn(“Path”)
$col3 = New-Object System.Data.DataColumn(“Error”)
###Adding Columns for DataTable###
$tempTable.columns.Add($col1)
$tempTable.columns.Add($col2)
$tempTable.columns.Add($col3)
return ,$tempTable
}
#Created the list of Servers to run the foreach loop aganist and the data table
$Servers = $null
$Servers = Get-ADComputer -Properties * -Filter "(OperatingSystem -Like '*Server*') -and (Enabled -eq '$True') -and (ServicePrincipalName -notLike '*MSServerCluster*')" `
| Select-Object -ExpandProperty Name
$dTable = $null
$dTable = createDT
$Date = (Get-Date -Format yyyy.MM.dd_T_HH.mm.ss)
$dir = "C:\temp\log4jreport"
ForEach ($server in $servers) {
$path = Invoke-Command -ComputerName $Server -ScriptBlock {
$Volumes = Get-Volume | Where-Object {($_.FileSystem -EQ "NTFS") -and ($_.FileSystemLabel -notlike "*Reserved*" ) } | Select-Object -ExpandProperty DriveLetter
ForEach ($Volume in $Volumes){
Get-ChildItem -LiteralPath ($volume + ":\") -Filter *log4j-core-2.*.jar -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.fullname -notlike "*log4j-core-2.16*.jar" -and $_.fullname -notlike "*log4j-core-2.17*.jar"} | % { $_.FullName}
}
}
# Writes the findings to the datatable creating a new row for every server
$path | ForEach-Object{
$row = $dTable.NewRow()
$row[“ServerName”] = $Server
$row[“Path”] = ($PSItem)
$dTable.rows.Add($row)
}
}
New-Item -Path $dir -ItemType Directory
$dTable | Export-Csv $dir\$date.csv -Force
Write-Host "Report exported to" $dir\$date.csv
https://github.com/philpug/Powershell_scripts/blob/master/vulnerability_mitigation/log4j_scan.ps1