Log4J Vulnerability Detection Procedure (Linux/Windows)

Gonzalo Carrillo
Gonzalo Carrillo Miami, FLMember, Kaseya Certified, Kaseyan, Automation Exchange Administrator

MODERATOR

edited January 24 in Solutions

Version: 2.0

Description: This agent procedures helps detect if the target machine is a victim of Log4j vulnerability.

Instructions : Please see attached PDF


Disclaimer: Kaseya has used the Open Source LunaSec Detection Tool (https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/) to assist with the detection of the Log4J vulnerability, but due to the environmental variables and in keeping with best security practices, a clean result cannot guarantee protection from compromise.  Kaseya recommends use of this script in conjunction with a layered organizational defensive strategy for most complete protection.

Comments

  • Jason vanmuyden
    Jason vanmuyden Member CHOCOLATE MILK

    This is not working, only works if you dont have the vulnerability, if vulnerable its not working. please help.

  • Kyle Dumas
    Kyle Dumas Member CHOCOLATE MILK

    I am unable to get this procedure to run

    12:12:18 pm 28-Dec-21 Log4j detect Log4j detect is being rescheduled.

    12:01:33 pm 28-Dec-21 Log4j detect Failed THEN in step 8 (Line 24)

    12:01:33 pm 28-Dec-21 Log4j detect FAILED in THEN step 8, execute script Log4j detect-0007(ID = 620632059) (Line 24)

    12:01:33 pm 28-Dec-21 Log4j detect-0007 Failed THEN in step 5 (Line 29)

    12:01:33 pm 28-Dec-21 Log4j detect-0007 FAILED in THEN step 5, execute script Write text to file(ID = 422) (Line 29)

    12:01:33 pm 28-Dec-21 Write text to file Failed THEN in step 2

    12:01:33 pm 28-Dec-21 Write text to file FAILED in processing THEN step 2, Execute DOS Command, with error Invalid Message Data, >>"c:\KaseyaTemp/log4jvul.txt" echo [90m6:00PM[0m | [33mwarn[0m | unable to access file [31merror=[0m[31m"CreateFile C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.MicrosoftSolitaireCollection_4.10.10270.0_x64__8wekyb3d8bbwe62b6a3db-7444-4854-aecc-0d9d8b945367\\Solitaire.exe: Access is denied."[0m [34mpath[0m: "C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.MicrosoftSolitaireCollection_4.10.10270.0_x64__8wekyb3d8bbwe62b6a3db-7444-4854-aecc-0d9d8b945367\\Solitaire.exe" [90m6:00PM[0m |

    12:01:33 pm 28-Dec-21 Write text to file-0001 Success ELSE

    12:01:33 pm 28-Dec-21 Write text to file-0003 Success ELSE

    12:01:33 pm 28-Dec-21 Execute Shell command - Get Results to Variable Success THEN

    12:01:33 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0001 Success THEN

    12:01:33 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0010 Success THEN

    12:01:31 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0002 Success THEN

    12:01:31 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0003 Success THEN

    12:01:31 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0004 Success THEN

    12:01:31 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0005 Success ELSE

    12:01:31 pm 28-Dec-21 Execute Shell command - Get Results to Variable-0005 Executing command in 64-bit shell as system: Powershell.exe -NoProfile -ExecutionPolicy Bypass -File c:\KaseyaTemp/FindLog4j.ps1 c:\KaseyaTemp\log4shell.exe >"c:\KaseyaTemp\commandresults-1277258340.txt" 2>&1

    11:59:43 am 28-Dec-21 Log4j detect-0006 Success ELSE

    11:59:43 am 28-Dec-21 Log4j detect-0005 Success ELSE

    11:59:43 am 28-Dec-21 Log4j detect-0004 Success ELSE

    11:59:43 am 28-Dec-21 Log4j detect-0003 Success THEN

    11:59:43 am 28-Dec-21 Log4j detect-0002 Success ELSE

    11:59:43 am 28-Dec-21 Log4j detect-0001 Success ELSE 

  • andrey gonzalez
    andrey gonzalez Member CHOCOLATE MILK

    Detect Log4j vulnerability Kaseya Script was tested and it works OK

    of course we improve it according to our needs

  • Michael Bruce
    Michael Bruce Member CHOCOLATE MILK

    Appreciate your efforts however it doesn't seem to pull back devices that i know are vulnerable (through a number of other detections).

    Qualys has made a really excellent vulnerability scanner free maybe you could incorperate this with the procedure? I've attempted but i just can't for the life of me get a export of the results back into a kaseya system attribute. https://github.com/Qualys/log4jscanwin

  • Derrick
    Derrick Member CHOCOLATE MILK

    Is this working yet?

  • Gonzalo Carrillo
    Gonzalo Carrillo Miami, FLMember, Kaseya Certified, Kaseyan, Automation Exchange Administrator

    MODERATOR

    We have updated the tool to address some of the reported failures. However, please note some limitations exist due to the use of the existing freeware.