Last active
December 14, 2021 13:12
-
-
Save lansalot/502f71a9de222d43df763c39eac62369 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# adapted from https://gist.github.com/elgrunt0/c53a12838d5b59647d7d47b7f22b4ec8 | |
# Thanks @Grunt ! | |
$CanHash = $true | |
If (-Not (Get-Command Get-FileHash -ErrorAction SilentlyContinue)) { | |
$CanHash = $false | |
} | |
function Create-CorpEventLog { | |
param ($logname) | |
if (!(Get-EventLog -List | Where-Object { $_.LogDisplayName -eq $logname })) { | |
New-EventLog -LogName $logname -Source $logname | |
Limit-EventLog -LogName $logname -OverflowAction OverwriteAsNeeded -MaximumSize 20MB | |
Write-EventLog -LogName $logname -Source $logname -Message "Event log created. When writing to this event log, use the source: $logname" -EventId 0 -EntryType Information | |
} | |
} | |
$logname = 'Corp' | |
Create-CorpEventLog $logname #Creates Corp Eventlog if it doesn't exist. | |
# CVE-2021-44228-Log4Shell-Hashes sha256sums from https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes | |
$hashes = @('bf4f41403280c1b115650d470f9b260a5c9042c04d9bcc2a6ca504a66379b2d6', | |
'a20c34cdac4978b76efcc9d0db66e95600bd807c6a0bd3f5793bcb45d07162ec', | |
'58e9f72081efff9bdaabd82e3b3efe5b1b9f1666cefe28f429ad7176a6d770ae', | |
'ed285ad5ac6a8cf13461d6c2874fdcd3bf67002844831f66e21c2d0adda43fa4', | |
'dbf88c623cc2ad99d82fa4c575fb105e2083465a47b84d64e2e1a63e183c274e', | |
'a38ddff1e797adb39a08876932bc2538d771ff7db23885fb883fec526aff4fc8', | |
'7d86841489afd1097576a649094ae1efb79b3147cd162ba019861dfad4e9573b', | |
'4bfb0d5022dc499908da4597f3e19f9f64d3cc98ce756a2249c72179d3d75c47', | |
'473f15c04122dad810c919b2f3484d46560fd2dd4573f6695d387195816b02a6', | |
'b3fae4f84d4303cdbad4696554b4e8d2381ad3faf6e0c3c8d2ce60a4388caa02', | |
'dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d', | |
'85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c', | |
'db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a', | |
'ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0', | |
'a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d', | |
'c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d', | |
'8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc', | |
'c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a', | |
'6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2', | |
'535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6', | |
'42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239', | |
'4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997', | |
'df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6', | |
'28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e', | |
'cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392', | |
'5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4', | |
'ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa', | |
'815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e', | |
'10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c', | |
'dc815be299f81c180aa8d2924f1b015f2c46686e866bc410e72de75f7cd41aae', | |
'9275f5d57709e2204900d3dae2727f5932f85d3813ad31c9d351def03dd3d03d', | |
'f35ccc9978797a895e5bee58fa8c3b7ad6d5ee55386e9e532f141ee8ed2e937d', | |
'5256517e6237b888c65c8691f29219b6658d800c23e81d5167c4a8bbd2a0daa3', | |
'd4485176aea67cc85f5ccc45bb66166f8bfc715ae4a695f0d870a1f8d848cc3d', | |
'3fcc4c1f2f806acfc395144c98b8ba2a80fe1bf5e3ad3397588bbd2610a37100', | |
'057a48fe378586b6913d29b4b10162b4b5045277f1be66b7a01fb7e30bd05ef3', | |
'5dbd6bb2381bf54563ea15bc9fbb6d7094eaf7184e6975c50f8996f77bfc3f2c', | |
'c39b0ea14e7766440c59e5ae5f48adee038d9b1c7a1375b376e966ca12c22cd3', | |
'6f38a25482d82cd118c4255f25b9d78d96821d22bab498cdce9cda7a563ca992', | |
'54962835992e303928aa909730ce3a50e311068c0960c708e82ab76701db5e6b', | |
'e5e9b0f8d72f4e7b9022b7a83c673334d7967981191d2d98f9c57dc97b4caae1', | |
'68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa', | |
'9da0f5ca7c8eab693d090ae759275b9db4ca5acdbcfe4a63d3871e0b17367463', | |
'006fc6623fbb961084243cfc327c885f3c57f2eba8ee05fbc4e93e5358778c85') | |
$drives = Get-WMIObject Win32_LogicalDisk | Where-Object { $_.DriveType -eq 3 } | Select -ExpandProperty DeviceID | |
$Status = "Compliant" | |
Foreach ($drive in $drives) { | |
$jars = Get-ChildItem -Path "$drive\" -Filter log4j-core-*.jar -Recurse -ErrorAction SilentlyContinue | |
Foreach ($jar in $jars | Where { $_.fullname }) { | |
$params = @{ | |
LogName = $logname | |
Source = $logname | |
Message = "" | |
EventID = '200' | |
EntryType = 'Information' | |
} | |
if ($CanHash) { | |
$hash = (Get-FileHash -Path $jar.Fullname -Algorithm sha256).hash | |
} | |
else { | |
$hash = (certutil -hashfile $jar.fullname SHA256)[1].Replace(" ","") | |
} | |
if ($hashes -Contains $hash ) { | |
$params.Message = "Found vulnerable log4j library! | |
File: $($jar.FullName) | |
Hash: $($hash) | |
For more info on CVE-2021-44228, see https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java" | |
$params.EntryType = 'Warning' | |
$Status = "Vulnerable" | |
} | |
Else { | |
$params.Message = "Found log4j library, but is not considered a vulnerable version. | |
File: $($jar.FullName) | |
Hash: $($hash) | |
For more info on CVE-2021-44228, see: https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java" | |
$params.EventID = '100' | |
} | |
Write-EventLog @params | |
} | |
} | |
$Status |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment