In this guide, I’m going to show you how to create a Powershell Scanner in PDQ Inventory that report if the Log4j / Log4Shell exploit is found on any vulnerable endpoints on your network.
Full disclosure, I didn’t create this scanner and want to credit this Reddit post for posting it.
However, I know a lot of PDQ users don’t know how to use the Powershell Scanner functionality or aren’t confident using it, so I’m writing up a quick how-to tutorial.
Let’s get started.
How the Script Works
This script will scan the C:\ drive of every computer on your network and return all log4j files, the path, and the file hash.
Once the scan completes, you can create a new collection or report in PDQ Inventory to view the list of affected devices. At the very least, this will help you determine if you have any computers that are potentially vulnerable. Or, in my scenario, I used this scanner to discover a pattern – 1 business application that is installed on most computers may be vulnerable, so now I know where I need to focus my attention.
Keep in mind that this script is for Windows computers and servers only and may not be 100% accurate, but it is a good starting point.
There are a lot of affected services, so be sure to check out this list of affected products and their remediation recommendations and/or fixes: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Launch PDQ Inventory
First, open PDQ Inventory. On the top ribbon, click New Scanner > Powershell.
Give it a name like Log4j, select the Script radial, and then paste this code:
$Log4jFiles = Get-ChildItem -path "C:\" -file "log4j*.jar" -Recurse -ErrorAction SilentlyContinue
foreach ($jarfile in $Log4jFiles) {
[PSCustomObject]@{
'Filename' = $jarfile.Name
'Location' = $jarfile.FullName
'Sha1Hash' = (Get-FileHash $jarfile.FullName -Algorithm SHA1).hash
}
}
Run the Log4j Scan Profile
There are a couple ways you can run this. Considering this scans every file and folder on a users C:\ drive, you may want to run this after hours to prevent slowing your end users computers down.
Manual Scan
Right-click on a collection > Scan Collection > Log4j to run it manually.
Scheduled Log4j Scan
Or, you can schedule this scan to run at a certain time. Click Scan Profiles at the top > Log4j > Edit Scan Profile.
This will open a new window where you can choose the Trigger time and then target an existing collection:
Viewing Powershell Scanner Results in PDQ
Assuming your scan has completed, the next step is to view the results of the scan.
Right-click any computer > View Computer Details. Under the Powershell tab, click the Log4j Scanner.
Checking every single computer this way would be very time-consuming, so the next logical step is to put the computers that contains these files into a new Collection.
Right click All Computers > New > Dynamic Collection.
Give it a name like Log4j Found and select the Powershell (log4j) scan profile. Then click OK.
You should now see a list of computers that been found to contain of these file names.
Wrapping Up
Keep in mind, this script may not find 100% of detections across your environment, but it’s a good starting point if you aren’t sure where to look.
For example, after running this, I found that 90% of my detections are from a single application. So, that tells me to keep an eye for for a remediation for that app above everything else or to see if that program is even susceptible to the exploit.
Good luck, and hopefully this guide helps you patch as quickly as possible!