log4shell-tool
log4shell-tool copied to clipboard
datto
Log4Shell Enumeration, Mitigation and Attack Detection Tool
Log4Shell Enumeration, Mitigation and Attack Detection Tool
Build 9c [GitHub Version], 16th December 2021
By Datto, For the MSP Community
Summary
This is a PowerShell-based script that can be run on a Windows system (it has been neither written for, nor tested with, other platforms) to:
- (Optionally) inoculate the system against Log4Shell attacks with vulnerable Log4j versions by setting the
LOG4J_FORMAT_MSG_NO_LOOKUPSenvironment variable toTRUE- Check whether any JAR files on the system contains code linking it to a vulnerable Log4j version
- This is not conclusive and should be used for reference only
- Check whether any JAR files on the system contains code linking it to a vulnerable Log4j version
- Using the YARA tool and Florian Roth's definitions, check all JAR, LOG and TXT files on the system for indicators of Log4Shell attacks
The script was originally developed as a Component for the Datto RMM software; however, as part of Datto's ongoing commitment to the MSP, it has been released for free for the Community.
Usage
Three environment variables (ie: $env:variableName) must be furnished, either by editing the script or by adding them in your runtime environment:
- usrScanScope
- Value of 1: Only scan home drive (usually C:) (Fastest scan time)
- Value of 2: Scan all fixed and removable drives
- Value of 3: Scan all drives, including Network drives (Slowest scan time -- may take several hours)
- usrUpdateDefs
- Value of
true: Download the latest YARA definitions from Florian Roth to scan files against - Value of
false: Use definitions attached
- Value of
- usrMitigate
- Value of Y: Inoculate system by setting
LOG4J_FORMAT_MSG_NO_LOOKUPSenvironment variable toTRUE - Value of N: De-inoculate system by setting
LOG4J_FORMAT_MSG_NO_LOOKUPSenvironment variable toFALSE(Use with caution!) - Value of X: Ignore inoculation subroutine entirely
- Value of Y: Inoculate system by setting
Included in package
- Yara 4.1.3-1755 (32- & 64-bit) & COPYING document
- Florian Roth's YARA definitions for Log4Shell as of 13th December 2021
Changelog
- Build 8b > Build 9c
- Readability improvements for users running script from a single PowerShell console window
- Log.txt and L4JDetectiond.txt will be written to local directories if C:\ProgramData\CentraStage does not exist
- Example variables commented out at beginning of script for easy onboarding
- Script now checks for administrative status
- Script does not refer to UDFs for Non-RMM partners anymore
Credits
This script was written by seagull for Datto RMM and the wider MSP Community. It may be freely copied, edited and redistributed provided credits to Datto, seagull & a link to this GitHub repo remain in the comments.
YARA is a tool by the VirusTotal project. The definitions used here were created by Florian Roth.
www.datto.com/rmm
datto