Skip to content

Latest commit

 

History

History
45 lines (37 loc) · 2.89 KB

README.md

File metadata and controls

45 lines (37 loc) · 2.89 KB

Log4Shell Enumeration, Mitigation and Attack Detection Tool

Build 9c [GitHub Version], 16th December 2021

By Datto, For the MSP Community

Summary

This is a PowerShell-based script that can be run on a Windows system (it has been neither written for, nor tested with, other platforms) to:

  • (Optionally) inoculate the system against Log4Shell attacks with vulnerable Log4j versions by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to TRUE
    • Check whether any JAR files on the system contains code linking it to a vulnerable Log4j version
      • This is not conclusive and should be used for reference only
  • Using the YARA tool and Florian Roth's definitions, check all JAR, LOG and TXT files on the system for indicators of Log4Shell attacks

The script was originally developed as a Component for the Datto RMM software; however, as part of Datto's ongoing commitment to the MSP, it has been released for free for the Community.

Usage

Three environment variables (ie: $env:variableName) must be furnished, either by editing the script or by adding them in your runtime environment:

  • usrScanScope
    • Value of 1: Only scan home drive (usually C:) (Fastest scan time)
    • Value of 2: Scan all fixed and removable drives
    • Value of 3: Scan all drives, including Network drives (Slowest scan time -- may take several hours)
  • usrUpdateDefs
    • Value of true: Download the latest YARA definitions from Florian Roth to scan files against
    • Value of false: Use definitions attached
  • usrMitigate
    • Value of Y: Inoculate system by setting LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to TRUE
    • Value of N: De-inoculate system by setting LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to FALSE (Use with caution!)
    • Value of X: Ignore inoculation subroutine entirely

Included in package

  • Yara 4.1.3-1755 (32- & 64-bit) & COPYING document
  • Florian Roth's YARA definitions for Log4Shell as of 13th December 2021

Changelog

  • Build 8b > Build 9c
    • Readability improvements for users running script from a single PowerShell console window
    • Log.txt and L4JDetectiond.txt will be written to local directories if C:\ProgramData\CentraStage does not exist
    • Example variables commented out at beginning of script for easy onboarding
    • Script now checks for administrative status
    • Script does not refer to UDFs for Non-RMM partners anymore

Credits

This script was written by seagull for Datto RMM and the wider MSP Community. It may be freely copied, edited and redistributed provided credits to Datto, seagull & a link to this GitHub repo remain in the comments.
YARA is a tool by the VirusTotal project. The definitions used here were created by Florian Roth.
www.datto.com/rmm