Edit findl4jvulnerabilities

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @nixuno

.gitignore

@@ -0,0 +1,7 @@
+*.txt
+*.log
+*.csv
+log4shell.exe
+Everything/*
+Everything.zip
+.vscode/*

EverythingConfig.ini

@@ -0,0 +1,4 @@
+[Everything]
+auto_include_removable_refs_volumes=1
+auto_include_removable_volumes=1
+hide_empty_search_results=1

README.md

@@ -1,6 +1,15 @@
 # Log4Shell Enumeration, Mitigation and Attack Detection Tool
-### Build 8b, 13th December 2021
-_By Datto, For the MSP Community_
+_Based on Build 8b By Datto_
+
+## Fork Edits
+- Added param block, preserving initial `$env` variable usage
+- Changed appropriate paths to point to the location of the script and not the current directory of the shell
+- Editing some formatting
+- Implemented Everything search option
+- Implemented Luna scan from https://github.com/lunasec-io/lunasec/tree/master/tools/log4shell
+- Overhauled logging system
+- Added Robocopy option before using Get-ChildItem
+- Implemented PowerShell upgrade
 
 ## Summary
 This is a PowerShell-based script that can be run on a Windows system (it has been neither written for, nor tested with, other platforms) to:
@@ -9,7 +18,7 @@ This is a PowerShell-based script that can be run on a Windows system (it has be
         * _This is not conclusive and should be used for reference only_
 * Using the YARA tool and [Florian Roth's definitions](https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar), check all JAR, LOG and TXT files on the system for indicators of Log4Shell attacks
 
-The script was originally developed as a Component for the [Datto RMM software](www.datto.com/rmm); however, as part of Datto's ongoing commitment to the MSP, it has been released for free for the Community.
+The script was originally developed as a Component for the [Datto RMM software](www.datto.com/rmm); however, as part of Datto's ongoing commitment to the MSP, it has been released for free for the Community and heavily modified by ProVal Tech.
 
 ## Usage
 
@@ -19,8 +28,8 @@ Three environment variables _(ie: $env:variableName)_ must be furnished, either
     * Value of 2: Scan all fixed and removable drives
     * Value of 3: Scan all drives, including Network drives _(Slowest scan time -- may take several hours)_
 * usrUpdateDefs
-    * Value of `true`: Download the latest YARA definitions from Florian Roth to scan files against
-    * Value of `false`: Use definitions attached
+    * Value of `$True`: Download the latest YARA definitions from Florian Roth to scan files against
+    * Value of `$False`: Use definitions attached
 * usrMitigate
     * Value of Y: Inoculate system by setting `LOG4J_FORMAT_MSG_NO_LOOKUPS` environment variable to `TRUE`
     * Value of N: De-inoculate system by setting `LOG4J_FORMAT_MSG_NO_LOOKUPS` environment variable to `FALSE` (Use with caution!)
@@ -30,8 +39,10 @@ Three environment variables _(ie: $env:variableName)_ must be furnished, either
 
 * [Yara](https://github.com/VirusTotal/yara) 4.1.3-1755 (32- & 64-bit) & COPYING document
 * Florian Roth's YARA definitions for Log4Shell as of 13th December 2021
-
+* [Luna](https://github.com/lunasec-io/lunasec/tree/master/tools/log4shell)
 ## Credits
 This script was written by seagull for Datto RMM and the wider MSP Community. It may be freely copied, edited and redistributed provided credits to Datto, seagull & a link to this GitHub repo remain in the comments.  
 YARA is a tool by the VirusTotal project. The definitions used here were created by Florian Roth.  
 www.datto.com/rmm
+
+Forked and modified by [ProVal Tech](https://www.provaltech.com)

expl_log4j_cve_2021_44228.yar

@@ -0,0 +1,175 @@
+
+rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 {
+   meta:
+      description = "Detects IOCs found in Log4Shell incidents that indicate exploitation attempts of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8"
+      date = "2021-12-12"
+      score = 60
+   strings:
+      $xr1  = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/
+   condition:
+      1 of them
+}
+
+rule EXPL_JNDI_Exploit_Patterns_Dec21_1 {
+   meta:
+      description = "Detects JNDI Exploit Kit patterns in files"
+      author = "Florian Roth"
+      reference = "https://github.com/pimps/JNDI-Exploit-Kit"
+      date = "2021-12-12"
+      score = 60
+   strings:
+      $ = "/Basic/Command/Base64/"
+      $ = "/Basic/ReverseShell/"
+      $ = "/Basic/TomcatMemshell"
+      $ = "/Basic/JettyMemshell"
+      $ = "/Basic/WeblogicMemshell"
+      $ = "/Basic/JBossMemshell"
+      $ = "/Basic/WebsphereMemshell"
+      $ = "/Basic/SpringMemshell"
+      $ = "/Deserialization/URLDNS/"
+      $ = "/Deserialization/CommonsCollections1/Dnslog/"
+      $ = "/Deserialization/CommonsCollections2/Command/Base64/"
+      $ = "/Deserialization/CommonsBeanutils1/ReverseShell/"
+      $ = "/Deserialization/Jre8u20/TomcatMemshell"
+      $ = "/TomcatBypass/Dnslog/"
+      $ = "/TomcatBypass/Command/"
+      $ = "/TomcatBypass/ReverseShell/"
+      $ = "/TomcatBypass/TomcatMemshell"
+      $ = "/TomcatBypass/SpringMemshell"
+      $ = "/GroovyBypass/Command/"
+      $ = "/WebsphereBypass/Upload/"
+   condition:
+      1 of them
+}
+
+rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
+   meta:
+      description = "Detects exceptions found in server logs that indicate an exploitation attempt of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b"
+      date = "2021-12-12"
+      score = 60
+   strings:
+      $xa1 = "header with value of BadAttributeValueException: "
+
+      $sa1 = ".log4j.core.net.JndiManager.lookup(JndiManager"
+      $sa2 = "Error looking up JNDI resource"
+   condition:
+      $xa1 or all of ($sa*)
+}
+
+rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
+   meta:
+      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
+      date = "2021-12-10"
+      modified = "2021-12-12"
+      score = 60
+   strings:
+      $ = "${jndi:ldap:/"
+      $ = "${jndi:rmi:/"
+      $ = "${jndi:ldaps:/"
+      $ = "${jndi:dns:/"
+      $ = "${jndi:iiop:/"
+      $ = "${jndi:http:/"
+      $ = "${jndi:nis:/"
+      $ = "${jndi:nds:/"
+      $ = "${jndi:corba:/"
+   condition:
+      1 of them
+}
+
+rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
+   meta:
+      description = "Detects obfuscated indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
+      date = "2021-12-12"
+      score = 60
+   strings:
+      $x1 = "$%7Bjndi:"
+      $x2 = "%2524%257Bjndi"
+      $x3 = "%2F%252524%25257Bjndi%3A"
+      $x4 = "${jndi:${lower:"
+      $x5 = "${::-j}${"
+      $x6 = "${${env:BARFOO:-j}"
+      $x7 = "${::-l}${::-d}${::-a}${::-p}"
+      $x8 = "${base64:JHtqbmRp"
+   condition:
+      1 of them
+}
+
+rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
+   meta:
+      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
+      date = "2021-12-10"
+      modified = "2021-12-12"
+      score = 80
+   strings:
+      $x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
+      $fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
+   condition:
+      $x1 and not 1 of ($fp*)
+}
+
+rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
+   meta:
+      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/Reelix/status/1469327487243071493"
+      date = "2021-12-10"
+      score = 70
+   strings:
+      /* curl -s  */
+      $sa1 = "Y3VybCAtcy"
+      $sa2 = "N1cmwgLXMg"
+      $sa3 = "jdXJsIC1zI"
+      /* |wget -q -O-  */
+      $sb1 = "fHdnZXQgLXEgLU8tI"
+      $sb2 = "x3Z2V0IC1xIC1PLS"
+      $sb3 = "8d2dldCAtcSAtTy0g"
+   condition:
+      1 of ($sa*) and 1 of ($sb*)
+}
+
+rule SUSP_JDNIExploit_Indicators_Dec21 {
+   meta:
+      description = "Detects indicators of JDNI usage in log files and other payloads"
+      author = "Florian Roth"
+      reference = "https://github.com/flypig5211/JNDIExploit"
+      date = "2021-12-10"
+      modified = "2021-12-12"
+      score = 70
+   strings:
+      $xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\//
+   condition:
+      filesize < 100MB and $xr1
+}
+
+rule SUSP_EXPL_OBFUSC_Dec21_1{
+   meta:
+      description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
+      author = "Florian Roth"
+      reference = "https://twitter.com/testanull/status/1469549425521348609"
+      date = "2021-12-11"
+      score = 60
+   strings:
+      /* ${lower:X} - single character match */
+      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
+      /* ${upper:X} - single character match */
+      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
+      /* URL encoded lower - obfuscation in URL */
+      $ = "$%7blower:"
+      $ = "$%7bupper:"
+      $ = "%24%7bjndi:"
+      $ = "$%7Blower:"
+      $ = "$%7Bupper:"
+      $ = "%24%7Bjndi:"
+   condition:
+      1 of them
+}