|
9 | 9 | usrUpdateDefs (bool): download the latest yara definitions from florian? |
10 | 10 | usrMitigate (Y/N/X): ternary option to enable/disable 2.10+ mitigation (or do nothing). https://twitter.com/CyberRaiju/status/1469505680138661890 |
11 | 11 | #> |
| 12 | +<# |
| 13 | +.SYNOPSIS |
| 14 | + Log4j Vulnerability (CVE-2021-44228) file scanner [windows] :: build 8b/seagull - ProVal Tech Fork |
| 15 | +.EXAMPLE |
| 16 | + Runs the scan tool, using Everything (https://www.voidtools.com) to search for files. Updates YARA definitions and adds the env variable LOG4J_FORMAT_MSG_NO_LOOKUPS mitigation. |
| 17 | + PS C:\> .\scanner-8b.ps1 -EverythingSearch -usrUpdateDefs $true -usrMitigate 'Y' |
| 18 | +.PARAMETER usrScanscope |
| 19 | + Sets the scope for drive scanning. -EverythingSearch overrides this setting. |
| 20 | + 1 - Home drive only |
| 21 | + 2 - All non-network drives |
| 22 | + 3 - All drives (local and network) |
| 23 | +.PARAMETER usrUpdateDefs |
| 24 | + Determines if defintion updates for YARA will be updated before scanning. |
| 25 | + $true - Definitions will be updated. |
| 26 | + $false - Definitions will not be updated. |
| 27 | +.PARAMETER usrMitigate |
| 28 | + Determines if the LOG4J_FORMAT_MSG_NO_LOOKUPS mitigation will be applied. |
| 29 | + 'Y' - Mitigation will be applied. |
| 30 | + 'N' - Mitigation will be removed. |
| 31 | + 'X' - Take no action. |
| 32 | +.PARAMETER EverythingSearch |
| 33 | + Use this switch to enable searching with Everything (https://www.voidtools.com) instead of Get-ChildItem. |
| 34 | + This will install the PSEverything module from PSGallery and temporarily install the Everything service. |
| 35 | +.NOTES |
| 36 | + Uses Florian Roth and Jai Minton's research (thank you!) |
| 37 | + RELEASED PUBLICLY for all MSPs, originally a Datto RMM ComStore Component. |
| 38 | + If you use code from this script, please credit Datto & seagull. |
| 39 | + Fork by ProVal Tech |
| 40 | + Fork Changes: |
| 41 | + - Added param block, preserving initial $env variable usage |
| 42 | + - Changed appropriate paths to point to the location of the script and not the current directory of the shell |
| 43 | + - Editing some formatting |
| 44 | + - Implemented Everything search option |
| 45 | + - Implemented Luna scan from https://github.com/lunasec-io/lunasec/tree/master/tools/log4shell |
| 46 | +#> |
12 | 47 | [CmdletBinding()] |
13 | 48 | param ( |
14 | | - [Parameter(Mandatory=$false)][int]$usrScanscope = $env:usrScanscope, |
| 49 | + [Parameter(Mandatory=$false)][ValidateSet(1,2,3)][int]$usrScanscope = $env:usrScanscope, |
15 | 50 | [Parameter(Mandatory=$false)][bool]$usrUpdateDefs = [System.Convert]::ToBoolean($env:usrUpdateDefs), |
16 | 51 | [Parameter(Mandatory=$false)][ValidateSet('Y','N','X')][char]$usrMitigate = $env:usrMitigate, |
17 | 52 | [Parameter(Mandatory=$false)][switch]$EverythingSearch |
|
0 commit comments