Detect Log4j vulnerable servers using
PowerShell (2021)

Detecting Log4j vulnerable servers using PowerShell
Detect Log4j vulnerable servers using PowerShell

Hello, PowerShell enthusiast wishing you all Merry Christmas and a Happy New Year, this year was ending with a good note until a day came with a log4j vulnerability that all of our security team has already identified and told every admin to do the changes.

If you are not a developer or work only on server-related stuff you must be not aware of how to check for log4j, hence I have come up with an effective way to determine the servers with log4j traces. I have created a small yet effective script to scan for log4j on windows servers.

Detect Log4j vulnerable servers using PowerShell

Script Requirements

Before we proceed further we need to understand the usage of gwmi win32_logicaldisk that is used to identify the logical disk on the remote server or your own PC.

In order to get the required details we will use the above command with -filter so that it will be like the below.

gwmi win32_logicaldisk -filter “DriveType = 3” |select-object DeviceID

How to detect Log4j vulnerable devices using PowerShell?

Let’s understand step by step how I have created this script and how it usually runs and what output is expected from the script.

#Step 1

This is my vintage style to invoke my foreach loop.

				
					$server=gc C:\users\admin\desktop\servers.txt
foreach($servers in $server){
$servers
				
			

#Step 2

We will use invoke-command to run a set of commands on the remote server.

The if condition is here checking if the remote server is having the location C:\temp or not. If the folder doesn’t exist it will create one on the remote server.

By echo $null > we are ensuring that the defined folder is empty if not it will make it empty.

				
					Invoke-Command -ComputerName $servers -ScriptBlock{
if ((Test-Path "c:\temp") -eq $false){New-Item -Path c:\ -Name Temp -ItemType Directory}
echo $null > C:\temp\${env:COMPUTERNAME}.csv
				
			

#Step 3

As discussed earlier gwmi win32_logicaldisk -filter “DriveType = 3” |select-object DeviceID will provide the list of volumes in the server.

Using pipe after DeviceID indicates it will run a set of commands over the volumes that are being identified.

Get-Childitem will recurse to the full path and find the files with log4j traces. It will then select the full path of the directory and save it in a text file. But the file will be saved remotely.

				
					gwmi win32_logicaldisk -filter "DriveType = 3" |select-object DeviceID|
Foreach-object {
get-childitem -path ($_.DeviceID + "\") -include "log4j*.jar" -recurse -Verbose | select Fullname | ForEach-Object { ${env:COMPUTERNAME} + "," + $_.FullName >> C:\temp\${env:COMPUTERNAME}.csv}}}}

				
			

#Step 4

As the result will be stored on the remote servers we need to copy the output to our source server. 

You don’t have to worry as we have already created a script to do so. Either you can merge this script with our above script or you can run this script separately once the first script stops.

				
					$a = Get-Content "C:\users\bharalid\desktop\servers.txt" 
foreach ($i in $a) 

{
$i
$files= "\\$i\C$\temp\$i.csv"
foreach ($file in $files)
{Copy-Item $file -Destination \\teb-ts1\C$\temp\ -force}
}
				
			

Note:  If the text file is empty that doesn’t mean that the script didn’t run on the server it means the log4j related files are not there on the server.

Conclusion

I hope you have liked the post Detect Log4j vulnerable servers using PowerShell and will implement this whenever it is required. Things you should always remember is to try with one server so that it will be easy for you to make changes. Let me know if you want a blog post on some other script that might amaze you.

We are working continuously to provide you with the better and the best scripts daily. We will publish weekly hence don’t forget to subscribe to our newsletter. 

About Me

powershellguru.com

Dhrub Bharali

Writing PowerShell script is my obsession. I have created 100+ PowerShell script that generates the best result and can be modified to get the required details of your infra.

Detecting Log4j vulnerable servers using PowerShell
0 Shares
0 Shares
Share via
Copy link
Powered by Social Snap