├── package
    ├── Windows
    │   ├── yara64.exe
    │   ├── msvcr100.dll
    │   ├── scan.bat
    │   ├── log4j.yar
    │   ├── README.md
    │   └── COPYING.txt
    └── Linux
    │   ├── scan.sh
    │   ├── README.md
    │   └── log4j.yar
├── log4j.yar
└── README.md


/package/Windows/yara64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bi-zone/Log4j_Detector/HEAD/package/Windows/yara64.exe


--------------------------------------------------------------------------------
/package/Windows/msvcr100.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bi-zone/Log4j_Detector/HEAD/package/Windows/msvcr100.dll


--------------------------------------------------------------------------------
/package/Windows/scan.bat:
--------------------------------------------------------------------------------
 1 | @ECHO OFF
 2 | ECHO Start working
 3 | TYPE NUL > scan_errors.txt
 4 | TYPE NUL > scan_results.txt
 5 | FOR /F "tokens=2 delims=," %%F in ('tasklist /NH /FO CSV ^| findstr /I java') DO (
 6 | 	ECHO  Found Java process with PID=%%~F
 7 | 	ECHO  Start scan of %%~F
 8 | 	yara64.exe log4j.yar %%~F >> scan_results.txt 2>> scan_errors.txt
 9 | 	ECHO  Complete scan of %%~F
10 | )
11 | FOR %%R in (scan_results.txt) DO IF %%~zR LSS 1 ECHO Nothing found >> scan_results.txt
12 | ECHO End working


--------------------------------------------------------------------------------
/package/Linux/scan.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | command -v yara > /dev/null 2> /dev/null
 4 | if [ $? -eq 0 ]; then
 5 | 	echo 'Start scan'
 6 | 
 7 | 	ps aux > scan_processes.txt
 8 | 	> scan_results.txt
 9 | 
10 | 	ps -eo pid,comm | grep -i java | grep -Eo '[0-9].*' | cut -d ' ' -f 1 | xargs -I '{}' yara log4j.yar '{}' >> scan_results.txt 2> scan_errors.txt
11 | 	if [ ! -s scan_results.txt ]; then
12 | 		echo 'Nothing found' >> scan_results.txt
13 | 	fi
14 | 
15 | 	echo 'Stop scan'
16 | else
17 | 	echo 'yara not found, please install yara:'
18 | 	echo ' apt-get install yara'
19 | 	echo 'or'
20 | 	echo ' yum install yara'
21 | 	exit 1
22 | fi
23 | 


--------------------------------------------------------------------------------
/package/Linux/README.md:
--------------------------------------------------------------------------------
 1 | # Log4j detection script
 2 | 
 3 | This is ready to use script to detect Log4j in Java processes on Linux systems.
 4 | 
 5 | This will only check the presence of Log4j, you'll have to check whether it is vulnerable version or not by yourself.
 6 | 
 7 | You will need to install YARA (https://github.com/VirusTotal/yara) before using this script.
 8 | 
 9 | ## How to scan?
10 | 
11 | 1. Copy all files in this folder to the target computer.
12 | 2. Run scan.sh
13 | 3. Check scan_results.txt. If Log4j was found, then this file will contain PID of the process that uses Log4j. Otherwise, this file would contain "Nothing found".
14 | 
15 | For example, if scan_results.txt contains string
16 | ``log4j_memory 12162``
17 | than process with PID of 12162 is a Java process that uses Log4j library.
18 | 


--------------------------------------------------------------------------------
/log4j.yar:
--------------------------------------------------------------------------------
 1 | rule log4j_memory
 2 | {
 3 | 	meta:
 4 | 		author = "BI.ZONE"
 5 | 		version = "0.12"
 6 | 		description = "Process memory signatures for Log4j"
 7 | 		license = "Just do whatever you want"
 8 | 
 9 | 	strings:
10 | 		$s_1 = "\\log4j\\core\\" wide
11 | 		$s_2 = "\\apache\\logging\\log4j\\" wide
12 | 		$s_3 = "/apache/logging/log4j/" ascii
13 | 		$s_4 = "/log4j/core/config/" ascii
14 | 		$s_5 = "org.apache.logging.log4j." ascii
15 | 		$s_6 = "org.apache.log4j" ascii
16 | 		$s_7 = "org/apache/log4j/" ascii
17 | 		$s_8 = "log4j:message" ascii
18 | 
19 | 		$a_1 = "Log4j appears to be running in a Servlet environment" ascii
20 | 		$a_2 = "this tool is superseded by the annotation processor included in log4j-core" ascii
21 | 		$a_3 = "Error parsing Log4j schema" ascii
22 | 		$a_4 = "org.apache.logging.log4j2:type=%s,component=Loggers,name=%s,subtype=RingBuffer" ascii
23 | 		$a_5 = "log4j:ERROR" ascii
24 | 		$a_6 = "log4j error:" ascii
25 | 		$a_7 = "$log4j$spi$ErrorHandler" ascii
26 | 
27 | 		$this_rule = "we_dont_want_to_detect_this_rule_in_memory" ascii
28 | 
29 | 	condition:
30 | 		2 of ($s_*) and 1 of ($a_*) and (not $this_rule)
31 | }
32 | 


--------------------------------------------------------------------------------
/package/Linux/log4j.yar:
--------------------------------------------------------------------------------
 1 | rule log4j_memory
 2 | {
 3 | 	meta:
 4 | 		author = "BI.ZONE"
 5 | 		version = "0.12"
 6 | 		description = "Process memory signatures for Log4j"
 7 | 		license = "Just do whatever you want"
 8 | 
 9 | 	strings:
10 | 		$s_1 = "\\log4j\\core\\" wide
11 | 		$s_2 = "\\apache\\logging\\log4j\\" wide
12 | 		$s_3 = "/apache/logging/log4j/" ascii
13 | 		$s_4 = "/log4j/core/config/" ascii
14 | 		$s_5 = "org.apache.logging.log4j." ascii
15 | 		$s_6 = "org.apache.log4j" ascii
16 | 		$s_7 = "org/apache/log4j/" ascii
17 | 		$s_8 = "log4j:message" ascii
18 | 
19 | 		$a_1 = "Log4j appears to be running in a Servlet environment" ascii
20 | 		$a_2 = "this tool is superseded by the annotation processor included in log4j-core" ascii
21 | 		$a_3 = "Error parsing Log4j schema" ascii
22 | 		$a_4 = "org.apache.logging.log4j2:type=%s,component=Loggers,name=%s,subtype=RingBuffer" ascii
23 | 		$a_5 = "log4j:ERROR" ascii
24 | 		$a_6 = "log4j error:" ascii
25 | 		$a_7 = "$log4j$spi$ErrorHandler" ascii
26 | 
27 | 		$this_rule = "we_dont_want_to_detect_this_rule_in_memory" ascii
28 | 
29 | 	condition:
30 | 		2 of ($s_*) and 1 of ($a_*) and (not $this_rule)
31 | }
32 | 


--------------------------------------------------------------------------------
/package/Windows/log4j.yar:
--------------------------------------------------------------------------------
 1 | rule log4j_memory
 2 | {
 3 | 	meta:
 4 | 		author = "BI.ZONE"
 5 | 		version = "0.12"
 6 | 		description = "Process memory signatures for Log4j"
 7 | 		license = "Just do whatever you want"
 8 | 
 9 | 	strings:
10 | 		$s_1 = "\\log4j\\core\\" wide
11 | 		$s_2 = "\\apache\\logging\\log4j\\" wide
12 | 		$s_3 = "/apache/logging/log4j/" ascii
13 | 		$s_4 = "/log4j/core/config/" ascii
14 | 		$s_5 = "org.apache.logging.log4j." ascii
15 | 		$s_6 = "org.apache.log4j" ascii
16 | 		$s_7 = "org/apache/log4j/" ascii
17 | 		$s_8 = "log4j:message" ascii
18 | 
19 | 		$a_1 = "Log4j appears to be running in a Servlet environment" ascii
20 | 		$a_2 = "this tool is superseded by the annotation processor included in log4j-core" ascii
21 | 		$a_3 = "Error parsing Log4j schema" ascii
22 | 		$a_4 = "org.apache.logging.log4j2:type=%s,component=Loggers,name=%s,subtype=RingBuffer" ascii
23 | 		$a_5 = "log4j:ERROR" ascii
24 | 		$a_6 = "log4j error:" ascii
25 | 		$a_7 = "$log4j$spi$ErrorHandler" ascii
26 | 
27 | 		$this_rule = "we_dont_want_to_detect_this_rule_in_memory" ascii
28 | 
29 | 	condition:
30 | 		2 of ($s_*) and 1 of ($a_*) and (not $this_rule)
31 | }
32 | 


--------------------------------------------------------------------------------
/package/Windows/README.md:
--------------------------------------------------------------------------------
 1 | # Log4j detection script
 2 | 
 3 | This is ready to use script to detect Log4j in Java processes on Windows systems.
 4 | 
 5 | This will only check the presence of Log4j, you'll have to check whether it is vulnerable version or not by yourself.
 6 | 
 7 | This package contains YARA (https://github.com/VirusTotal/yara) executable, built for Win64, msvcr100.dll library necessary for running YARA, and the rule file (log4j.yar).
 8 | 
 9 | ## How to scan?
10 | 
11 | 1. Copy all files in this folder to target computer.
12 | 2. Run scan.bat
13 | 3. Check scan_results.txt. If Log4j was found, then this file will contain PID of the process that uses Log4j. Otherwise, this file would contain "Nothing found".
14 | 
15 | For example, if scan_results.txt contains string
16 | ``log4j_memory 12162``
17 | than process with PID of 12162 is a Java process that uses Log4j library.
18 | You can that use the command 
19 | ``wmic path win32_process get processid,commandline /format:csv | findstr 12162``
20 | to get command line of this Java process to find which application uses this library and if it has ``formatMsgNoLookups`` property set (see "Mitigations" section).
21 | 
22 | 
23 | 
24 | 
25 | 


--------------------------------------------------------------------------------
/package/Windows/COPYING.txt:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2007-2016. The YARA Authors. All Rights Reserved.
 2 | 
 3 | Redistribution and use in source and binary forms, with or without modification,
 4 | are permitted provided that the following conditions are met:
 5 | 
 6 | 1. Redistributions of source code must retain the above copyright notice, this
 7 | list of conditions and the following disclaimer.
 8 | 
 9 | 2. Redistributions in binary form must reproduce the above copyright notice,
10 | this list of conditions and the following disclaimer in the documentation and/or
11 | other materials provided with the distribution.
12 | 
13 | 3. Neither the name of the copyright holder nor the names of its contributors
14 | may be used to endorse or promote products derived from this software without
15 | specific prior written permission.
16 | 
17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
18 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
21 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
24 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
26 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Log4j Detection
 2 | 
 3 | You can use this YARA rule to detect the presence of Log4j and then determine whether it is vulnerable to Log4Shell (CVE-2021-44228) or not. If it is, then you can use mitigations listed below to handle this situation.
 4 | In the Package folder you can find a collected package which includes YARA executable, the rule file (log4j.yar), and cmd\bash scripts for running it on Windows and Linux systems.
 5 | 
 6 | ## Scanning for Log4Shell
 7 | 
 8 | Log4Shell is a serious remote code execution (RCE) vulnerability in Log4j logging library, which is widely used in Java applications. Because it's often difficult to check whether the specific app is using potentially vulnerable version of this library, we provide this YARA rule to help you with that task. Using it, you can scan the running processes on your systems to check for presense of the Log4j.
 9 | 
10 | ## Usage instructions
11 | 
12 | Use the provided YARA rule to scan running Java processes. If this rule detects Log4j, then its output would be like:
13 | 
14 | ```
15 | Log4j_memory 12162
16 | ```
17 | 
18 | Where 12162 is a process identifier (PID) of process in which Log4j have been found.
19 | 
20 | ### Windows
21 | You can use the folowing commands to scan Windows hosts:
22 | 
23 | ```
24 | tasklist /FO CSV > scan_processes.txt
25 | FOR /F "tokens=2 delims=," %%F in ('tasklist /NH /FO CSV ^| findstr /I java') DO yara64.exe log4j.yar %%~F >> scan_results.txt
26 | ```
27 | 
28 | ### Linux
29 | First, make sure that YARA package is installed on the system. Than you can use folowing command to scan Linux hosts:
30 | 
31 | ```
32 | ps -eo pid,comm | grep -i java | grep -Eo '[0-9].*' | cut -d ' ' -f 1 | xargs -I '{}' yara log4j.yar '{}' > scan_results.txt
33 | ```
34 | 
35 | ## Mitigations
36 | 
37 | For Log4j version 2.10 or greater, this vulnerability can be mitigated by setting Log4j2.formatMsgNoLookups system property, or by setting environment variable ``LOG4J_FORMAT_MSG_NO_LOOKUPS`` to true (application restart is required).
38 | 
39 | Versions 2.0-beta9 to 2.10.0 can be mitigated by removing JndiLookup class from the classpath: ``zip -q -d Log4j-core-*.jar org/apache/logging/Log4j/core/lookup/JndiLookup.class``
40 | 
41 | 


--------------------------------------------------------------------------------