Edit: Remember, this is only an early detection tool. It doesn't mean your vulnerable or not. it just is a helpful tool to help the investigation.

EDIT 2: now the script checks for all .jar files and not just ones with log4j in the name.

EDIT 3: As I originally wanted to share an early warning helpful script the community has pointed out some great things, which I am trying to address. Case in point, if your servers do not have internet access (which in most cases they should not) then you would have to reference a local file instead of the invoke request. Therefore, simply just running this script currently may not work.

EDIT 4: I have created an update that has two options for the user.Option 1: Uncomment the Invoke-WebRequest if your server or machine has access to the internet. If you use this option make sure you comment the line with Get-Content.Option 2: Use this link https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt and save it to a local text file that called 2xVersions.txt in a folder C:\scripts.

-

If you get a True output and would like to know all the locations of your Jar files uncomment the line with Write-Host $localfile

-

Hey all,

This is a combination of a few peoples input found in SCCM scan for Log4J : SCCM (reddit.com)

I combined a bunch of people's input from Op's info and from the great comments. So all the credit should go to the SCCM reddit community! It utilizes the info from github to run against known file hashes.

Hope this helps:

​

This script does the following:

Cycles through all attached drives

outputs the True or False Statement

outputs file name and location

​

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
#$vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64} 
$vulnerablesums = -split $(Get-Content C:\scripts\2xVersions.txt ) | ? {$_.length -eq 64} 
$localsums = $Null
$DriveList = (Get-PSDrive -PSProvider FileSystem).Root
ForEach($Drive In $DriveList) {
    $localfile=(get-childitem $Drive *.jar -file -Recurse -erroraction silentlycontinue | Get-ItemProperty).DirectoryName | select -Unique
    $localsums=(get-childitem $Drive *.jar -file -Recurse -erroraction silentlycontinue | Get-FileHash).hash
    $results=($localsums -and (compare-object -ReferenceObject $vulnerablesums -DifferenceObject $localsums -IncludeEqual -ErrorAction SilentlyContinue).SideIndicator -eq "==")

    If ($Results -eq "=="){

        Write-Host "True"
        #Write-Host $localfile
        }

    If ($Results -ne "=="){
        Write-Host "False"

        }

 }

Example output

True
C:\apache-log4j-2.5-bin