Skip to content

Instantly share code, notes, and snippets.

@adotcoop
Created December 17, 2021 13:46
Show Gist options
  • Save adotcoop/269546bd009a880615a0e9bd4f341ec8 to your computer and use it in GitHub Desktop.
Save adotcoop/269546bd009a880615a0e9bd4f341ec8 to your computer and use it in GitHub Desktop.
# Find-log4j.ps1
#
# Searches a machine for files named log4j-core-*.jar using robocopy and outputs to a file
#
# Virtually all of the code is from Matt Benninge; I've just added a very simple file output
# https://gist.github.com/matbe/df32f7257d9eab07fb388bef85edab04
#
# Once you have the files you can combine the ones that found log4j using
#
# dir *_found* | Get-Content | Out-File c:\users\public\log4jfound.txt
#
# If run as a package/program through SCCM it'll run under the context of LOCALSYSTEM so
# provided the computer account has write (not read) privilege to the shared folder the
# script will be able to create the files
#
$dropFolder = "\\server\share\log4j\"
# == code from Matt ==
$searchName = "log4j-core-*.jar"
$drives = Get-WmiObject Win32_LogicalDisk -Filter 'DriveType=3' | Select -ExpandProperty DeviceID
$i = 0
Foreach ($drive in $drives) {
$searchDir = "$drive\"
$jars= (&cmd /c pushd $searchDir `& robocopy /l "$searchDir" null "$searchName" /ns /njh /njs /np /nc /ndl /xjd /mt /s).trim() -ne ''
Foreach ($jar in $jars){
If($jar) {
If(($jar).StartsWith($drive)){
$i++ #increase $i to instruct CM that potential vunerable file found
}
}
}
}
# == end of code from matt ==
If ($i -ge 1) {
$filename = "log4j_found_$($ENV:Computername).txt"
}
Else {
$filename = "log4j_notfound_$($ENV:Computername).txt"
}
$jars | out-file "$dropFolder$filename"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment