Detect Log4j vulnerable servers usingPowerShell (2021)

Detect Log4j vulnerable servers using PowerShell

Hello, PowerShell enthusiast wishing you all Merry Christmas and a Happy New Year, this year was ending with a good note until a day came with a log4j vulnerability that all of our security team has already identified and told every admin to do the changes.

If you are not a developer or work only on server-related stuff you must be not aware of how to check for log4j, hence I have come up with an effective way to determine the servers with log4j traces. I have created a small yet effective script to scan for log4j on windows servers.

Script Requirements

Before we proceed further we need to understand the usage of gwmi win32_logicaldisk that is used to identify the logical disk on the remote server or your own PC.

In order to get the required details we will use the above command with -filter so that it will be like the below.

gwmi win32_logicaldisk -filter “DriveType = 3” |select-object DeviceID

How to detect Log4j vulnerable devices using PowerShell?

Let’s understand step by step how I have created this script and how it usually runs and what output is expected from the script.

#Step 1

This is my vintage style to invoke my foreach loop.

$server=gc C:\users\admin\desktop\servers.txt
foreach($servers in $server){
$servers

#Step 2

We will use invoke-command to run a set of commands on the remote server.

The if the condition is here checking if the remote server is having the location C:\temp or not. If the folder doesn’t exist it will create one on the remote server.

By echo $null > we are ensuring that the defined folder is empty if not it will make it empty.

Invoke-Command -ComputerName $servers -ScriptBlock{
if ((Test-Path "c:\temp") -eq $false){New-Item -Path c:\ -Name Temp -ItemType Directory}
echo $null > C:\temp\${env:COMPUTERNAME}.csv

#Step 3

As discussed earlier gwmi win32_logicaldisk -filter “DriveType = 3” |select-object DeviceID will provide the list of volumes in the server.

Using pipe after DeviceID indicates it will run a set of commands over the volumes that are being identified.

Get-Childitem will recurse to the full path and find the files with log4j traces. It will then select the full path of the directory and save it in a text file. But the file will be saved remotely.

gwmi win32_logicaldisk -filter "DriveType = 3" |select-object DeviceID|
Foreach-object {
get-childitem -path ($_.DeviceID + "\") -include "log4j*.jar" -rec

Read more here