Jump to content

MS17-010 - Wannacry Malware Remote Monitor


Recommended Posts

This remote monitor runs some PowerShell 2.0 compatible code to detect if a rollup has been installed that includes the patch for the MS17-010 vulnerability.

If you have problems, please review the Troubleshooting Information in Post #3 below. Includes information on handling incorrect results.

 

The monitor created by this code is state based, and will report Success/Failure/Warning. There are three expected monitor results:

1 - A patch will be discovered that includes the March Rollup, and the machine will be reported as "Secured" with each KBID it found that was considered a valid patch resulting in Monitor Success State.

2 - Patching History was discovered, but no patches matching the criteria will be found. The output will be "Vulnerable", resulting in Monitor Failed State. Incomplete Results will be reported to identify systems where this monitor may be ineffective.

3 - The patching history will fail to obtain any data or the script will crash. If nor history is detected, the monitor output will be "WARNING", resulting in Monitor WARNING State.

 

The KBID list is retrieved from a template property. This can be edited easily and the monitor will use the new KBLIST automatically.

To update the Template Property if it is missing any KBIDs:

 

 

To find the monitor and edit the group after importing:

 

 

Installation / Configuration

To import: Save and extract the .SQL file to your computer. The .PS1 is only for reference and is not used by the monitor. You do not need to do anything with it.

In Control Center: Tools->Import->SQL File - Browse to the saved file and import.

Or paste the code into SQLYog. (Warnings are expected, there should be no errors)

The remote monitor will be created as a Group Monitor on your "All Agents" group, with the Search Filter set to "No Agents". This will allow you to safely import the monitor and make any adjustments you like to the timing and alert settings before deploying to computers.

To activate the monitor, change the Search group to an appropriate value: (Possibly "Computer Types\Windows Computers")

Updating

The code is update friendly. Just import any new version again and it will make adjustments but should not change most of the monitor settings if you have changed them. You do not need to remove old monitor versions first. If you are a new user, just use the V7 solution. The older version files are included for reference but their use is not recommended or necessary.

IF you have modified the KBID list in the template, the import will not overwrite your changes. - To reset your list to the current defaults, change the template property value to '1' and then re-run the sql import.

 

LAST UPDATED - 20170519 @ 13:00:00UTC - Version 7.22

 

 

CHANGELOG

V7.22 - Reissued with more KB Updates. No other changes. Updated Regex is now:

401221[2-8]|4012598|4012606|4013198|4013429|401521[79]|4015219|4015221|4015438|401554[69]|401555[02]|401663[567]|4019215|401926[345]|401947[23]

V7.22 - Added another KBID to the known list. Replaced "-join ' '" with "|Out-String" to allow POSH 1.0 systems to report an error instead of crashing. Added monitor reset statement to SQL import. When updating any monitors in known invalid states will be removed and re-created to ensure the reported results match the monitors true state. Adjusted the Batch file to allow use as either a PowerShell or a Batch script. It can be run directly as a .ps1 just by renaming, no edits needed.

V7.21 - Corrected % encoding that generates an error on .Net 4.5 systems. - Monitor would report a "WARNING" status with the result "And Error Occurred Running the Program". Packaged PowerShell as a Batch File with 1-line ready syntax for easy testing.

V7.2 - Additional KBIDs added to known list. Included handling for Windows 10.0.15063 (Creators Update). Thank you to @ctaylor, @mrjoshua, others for reporting detection issues and suggested updates.

V7.1 - Corrected PS2.0 bug that prevented the display of discovered patches, but did not affect the results. Thank you to @mikejudd for reporting and helping to troubleshoot.

V7 - Complete rewrite. Parses the Windows Update history to track install/removal so that if an update is removed it will not be counted. Builds a list of KBIDs from Windows Update History and Get-Hotfix output. Output has been cleaned up to eliminate confusing "Success" messages and help identify collection issues that might cause a system to be reported Vulnerable when it is not. Collects log of steps to provide details of what was discovered and errors encountered when debug output is enabled.. This new monitor will not replace the old one. You can deploy them side by side and remove the old one when you are comfortable with the results.

 

V6.4 - Added Split() to the $wuKBLIST assignment to break the output into multiple lines. Reverted back to "%7C" instead of "|" to help out LT10.5 users. Thank you to @klaymore, @mcmcdtx, and others for feedback/troubleshooting that helped clear a few more errors.

V6.3 - Not published - Added try {} catch{} around WindowsUpdate History and Get-Hotfix steps to suppress error output.

V6.2 - Not published - Added -noprofile to powershell parameters to prevent loading of a profile script.

V6.1 - Expanded "sls" to Select-String, "gc" to Get-Content. Some agents didn't like the short aliases.

V6 - Fixes to get the Windows Updates History and Get-HotFixID command output to behave the same for PS2-PS5. This should help with the machines that had detection broken starting with the V5 changes. Added some output if the template property for the KBID's isn't found. Thank You to @armen, @johnsalle and others again for helping solve the PS2 vs. PS5 behaviors that were hurting the monitor's detection accuracy. Switched out "%7C" for "|" for readability.

 

V5 - Now using combined Windows Updates History + Get-HotfixID. Special thanks to @johnsalle and others for helping identify and troubleshoot machines that weren't detecting correctly to improve the results for all.

 

V4.1 - No changes, but I uwrapped the PS code and added a new .ps1 to the zip bundle. For anyone having questions/problems with the powershell, the .ps1 should be easier to troubleshoot from.

V4 - More Cowbell. Modified the Update Config command to only send to agents that DON'T have an Update Config command pending. Added unused variable "$MVer=4" to the beginning of the powershell section so that you can tell if your monitor updated without trying to do a before/after comparison of the entire command line. Modified the Interval to 900 seconds (15 minutes) to help people that didn't want to wait 6 hours to verify if a system needs updates.

 

V3 - Replaced the "CALL sp" function with alternative to ensure ALL remote agents get the 'Update Config" command queued. Prior method may have missed some or all agents.

 

V2 - The KBID list has been expanded from V1, some regex errors corrected, solution tested on XP.

Added alternate Update checking method "Get-Hotfix" to try and find patch information for systems where Windows Update history is blank.

The KBID list is a regex string stored in a template property (Under Template ID 1). If you just need to update the KBID list for ones that are missed, just change the template property value in your system. If you want alternate KBID lists (maybe broken out by OS version, etc.) you can create a template for each group and set the template property with your custom KBID list. I won't explain template properties, but since this solution uses them, there are ways to take advantage of that and extend the solution for your own situation.

 

V1 - Original Posting

LTGroupMonitorEdit.png.eac38d723f908e16f5550538bec12a4d.png

LTTemplatePropertyEdit.png.29995a20dbf1d0ac74a7f0af03f7e8f5.png

MS17-010-VulnerabilityRemoteMonitor.zip

Edited by Guest
Link to post
Share on other sites

Hijacking my own first reply to add more notes:

 

If you want to be updated when this topic is updated, you can subscribe to the topic WITHOUT having to post to it.. (If everyone posted just to subscribe, we would all have update emails telling us that the topic was updated.. By people wanting updates... Not so helpful.)

LTG-HowToSubscribe.PNG.277e1ea05ab2dbf0b97734a24acfae6d.PNG

Edited by Guest
Link to post
Share on other sites

FAQ

 

Should I be able to copy and paste the remote monitor into CMD prompt and run it manually? I get a bunch of errors if I do?

- NO. The remote monitor syntax is only designed for use as a remote monitor, operating from within the LabTech agent. The agent will replace %7C with |, %25 with %, and {%^tp:kbid_ms17_010^%} with the KB LIST Regex. To test the commands outside of LabTech, you must perform these replacements manually. A standalone .ps1 script is now included that is suitable for standalone use.

 

How long does it take to create the monitors? How long until changes take effect?

It is an internal LabTech process that:

1) Detects agents in the group without the monitor and generates the command to install the monitor.

2) Detects differences between the deployed monitor and the group monitor configuration, and issues the remove/install commands to agents.

On my system I normally see changes applied within 1-5 minutes. However I have heard of other systems taking much longer. If the monitor is not deploying or updating for excessive periods (1 or more hours), after verifying the Search filter is not excluding the machines you should contact LabTech Support.

 

How long until it updates the results? How can I speed it up?

You can shorten the interval that the monitor repeats in, but it is not advisable to drop it below 5 minutes. *IF* your system can remove and rebuild monitors quickly, switching the search group to NO Agents, allowing the monitor count to reach 0, and then switching back to the correct search group will remove and re-install the monitor for all agents. The will immediately attempt to run the monitor and update it's results. If you do not wait for the monitor to be removed from all agents before re-deploying, it can mess up the monitor on the agents so do not cycle this too rapidly.

 

Troubleshooting Info/Known Issues:

When attempting to TEST the monitor, Labtech chokes on the "%" in {%^tp:kbid_ms17_010^%}. If you TEST the monitor, you must alter the command to read {%25^tp:kbid_ms17_010^%25}.

LabTech 10.5 users are reporting an error such as: ERR Conversion from string " XXX " to type 'Integer' is not valid.

Remote Monitors including the character "|" cause the error. Replace all instances of "|" with "%7C".

 

Monitor Result - WARNING. This indicates that neither Secured nor Vulnerable was found in the output. This means that no update history could be discovered through any means, or that the command crashed.

 

Monitor Result - EXE is missing - This will be reported if LabTech cannot find the path to the executable command. If powershell.exe is not in the path specified by the monitor or access is denied, this would be reported. More generally it suggests the monitor did not correctly install for some reason on that one agent. Monitor results are not always refreshed by LabTech when the monitor state has not changed. To reset a monitor for a single agent:

1 - Open the Agent Monitor Window. Click the "Override" button.

2 - Select the configuration tab. Change the interval to 60 seconds.

Change the command to: cmd.exe

Change the parameters to: /c echo Secured - MANUAL OVERRIDE

3 - Press Save to commit the changes. Wait until the monitor is reporting a Successful status.

4 - Open the Agent Monitor Window. Uncheck the "Override" button. Press Save. The monitor will be deleted and recreate automatically, and if there is an error the output should be correct.

 

Error Messages or unexpected output in the Monitor Results:

Monitor Output - Template Properties not found means the REGEX for the KBIDs was not resolvable, and will not be tested. This means many machines will be incorrectly identified as "Vulnerable". To troubleshoot (in order of likelihood to resolve)

1 - The agent needs the "Resend Config" command sent to learn the template property.

2 - The agent needs a restart.

3 - The agent does not have Template #1 (Default) applied to it. Solution - Determine what template(s) the agent has assigned and add the template property kbid_md17_010 with the KBID regex from Template 1 to one that will apply to the agent.

 

Monitor Output - "Error retrieving Windows Update History". If there are errors communicating with the Windows Update service because it is disabled or damaged, or if Windows Update has no history this error will be reported. Verify the Windows Update Service can be started successfully. Check the Windows Update history by attempting to access the history in the Control Panel. An example of a system that this error would be reported on might report "Windows Updates have never been performed on this computer".

 

Monitor Output - "Error retrieving Get-Hotfix results".This error appears to be caused by broken wmi, either the service is disabled or components are damaged. Can be confirmed by running the Get-Hotfix command manually.

 

A monitor can report Success even with errors reported. In this example manual testing confirmed the error was being thrown but get-hotfix was still finding a match, so after the error text (which is not visible in the truncated output shown here) was the Secured - KBxxxx output that the monitor wants... If the monitor is green, it *IS* getting "Secured" back from the test.

The newest monitor revision suppresses error output when the detection was successful. Now only failed detections will report if errors were encountered while gathering update information..

 

 

Error Reported: "File C:\Windows\system32\config\systemprofile\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot be loaded because the execution of scripts is disabled on this system."

Resolved with the -noprofile parameter before the -command parameter to PowerShell to prevent profile script loading.

LTMonitorErrorWithSucessResult.png.875c6f940c498339a90644a870187c62.png

Edited by Guest
Link to post
Share on other sites

Darren,

 

Thanks for this good work although a quick question if i may.

We have quite a number of machines on our systems and I was wondering which string in the SQL I need to change to insert it as a monitor in a customer group as I couldn't find an 'all agents' referenced in it. I am pretty new to the labtech stuff so apologies if the answer is glaringly obvious.

 

EDIT

 

For those that need to know I checked the SQL file and matched up the group ID (5) and swapped it for my new group ID.

Link to post
Share on other sites

Disregard this, it looks like it is flagging any recent cumulative update as a success.

 

I am still troubleshooting the issue, but it appears that the -and at

else {$xx = $xx|Where-Object {$_ -match 'KB({%^tp:kbid_ms17_010^%})' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|201[89]-[0-9]{2})|(Ma|A|Ju|[sOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -and $_ -match '(Security .*Rollup|Cumulative Update) for Windows')};

should be a -or reading

else {$xx = $xx|Where-Object {$_ -match 'KB({%^tp:kbid_ms17_010^%})' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|201[89]-[0-9]{2})|(Ma|A|Ju|[sOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -or $_ -match '(Security .*Rollup|Cumulative Update) for Windows')};

Link to post
Share on other sites
Is there any way to find this information out from the patch manager in 11? I'm curious whether I'm just not using it correctly or if the information simply isn't in there.

 

not easily - you still have to sort through things. But easier than random queries.

see below from LT support:

 

The current media identified threat under MS17-010 has been fixed by Microsoft in the Monthly rollups in March and is included in the Monthly Rollups of May 9th.

Since these are Rollups, you will no longer see the March release as system viable.

For devices that have performed a recent Resend Hotfix the need for the patch will be seen.

In other words, if the patch to fix the exploit is not showing, then it is not needed based on that system’s configuration.

Standard patching concepts and rules apply.

The May Rollups that will include the March issues that Microsoft released are:

KB4019264 For Windows 7SP1 / Windows 2008R2 SP1

KB4019215 For Windows 8.1 / Windows 2012 R2 Standard

KB4019216 For Windows 2012 Standard

KB4019472 For Windows 10(1607) / Windows 2016

KB4012598 For out of date OS - Windows XP/Vista/8/2003

KB4013198 For out of date Windows 10(1511)

What’s needed to do: Approve patches as normal, have your managed agents set to a patch scheduled and allow to update.

To check in Patch Manager if the above patches are installed, and allow you to manually deploy them do the following:

• Open your Patch Manager

• Click on “Patches” the puzzle piece in the upper left.

• Once the panel is loaded, select Global for all your clients.

• In the Upper Pane search field (far right of display) key in the KB numbers without the “KB” and separate by a space 4019264 4019215 4019216 4019472 4012598 4013198

• The upper pane will now display the aggregated list of the patches in your system.

• On each patch, select one at a time.

• In the lower pane will be a list of systems that see that patch as viable and the current Patch State.

• Filter the lower pane by the word attempted

• This will show only the systems where the patches are viable and not installed.

• You can now highlight those systems and use the Install Patch on Device control (Down arrow) to push an install to those systems that are online.

• Standard reboot window assigned to agent will apply (So will only reboot if still inside reboot window based on your settings)

• Further monitoring of the patch jobs can been seen using Dataviews>Patching>Patch History, this way you can manually work with systems that have environmental errors.

ltpatch.jpg.41dccd5b9919c1c138719dd1ad607116.jpg

Link to post
Share on other sites

That's definitely better than the random queries. I had better luck with the remote monitor, however. Through the UI, I was able to tell if the May patches were missing, but because I *just* approved the May rollups recently, it was hard to tell whether a system had March/April installed (so already fixed) and just not May.

 

Confusing for sure, but I did manage to get everything sorted out.

Link to post
Share on other sites

I've got this set up but it is detecting around 50% of machines as not having the patch installed even though they have. If I run the .ps1 script it works fine:

 

PS C:\> .\MS17-010-VulnerabilityRemoteMonitor.ps1

WU Patch History Available - Selecting History of patches installed, limited to operations

"InProgress, Succeeded and SucceededWithErrors"

Limiting final results to only include the Title

Filtering $results from above, containing either only Update Titles, or HotfixIDs

Secured - Detected Updates: KB4012212 KB4019264 KB4015549 KB4012215

 

If I run the code from the monitor it fails (same machine obviously):

 

C:\Users\12345>%windir%\System32\WindowsPowerShell\v1.0\powershell.exe -command

"& {$MVer=5; $ProgressPreference = 'SilentlyContinue';$Session=New-Object -ComO

bject 'Microsoft.Update.Session';$Searcher=$Session.CreateUpdateSearcher();$Form

atEnumerationLimit=-1;$historyCount=$Searcher.GetTotalHistoryCount(); if ($histo

ryCount -gt 0) {$wuKBLIST=$($Searcher.QueryHistory(0, $historyCount)|Select-Obje

ct Title, Date, Operation, Resultcode|Where-Object {$_.Operation -like 1 -and $_

.Resultcode -match '[123]'}| Select-object Title)}; $ghfKBLIST=$(Get-Hotfix|Wher

e-object {$_.hotfixid -match 'KB\d{6,7}'}| Select-object Hotfixid); If ($wuKBLIS

T -eq $null -and $ghfKBLIST -eq $null) {'WARNING - No updates returned'} else {i

f ('{%^tp:kbid_ms17_010^%}' -match 'kbid_ms17_010') {'Template Property kbid_ms1

7_010 not detected, some valid updates may not be matched.'}; $finalKBLIST = $wu

KBLIST.Title + $ghfKBLIST.HotfixID |Where-Object {$_ -match 'KB({%^tp:kbid_ms17_

010^%})' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|201[89]-[0-9]{2})|(Ma|A|Ju|

[sOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -and $_ -match '(Security .*Roll

up|Cumulative Update) for Windows')}; If ($finalKBLIST -eq $null) {'Vulnerable'}

else {'Secured - Detected Updates: ' + ($finalKBLIST | Select-String 'KB\d{6,7}

' -AllMatches | ForEach-Object {$_.matches} | ForEach-Object {$_.Value} ) -join

','}}}"

Template Property kbid_ms17_010 not detected, some valid updates may not be matched.

Vulnerable

 

It works fine on other machines, it still comes up with the template property kbid_ms17_010 warning on the machines where it is working OK. I have checked my default template and the variable is shown in there so not sure why it is coming up with that, I've run Update Config on the machines.

 

I'm also having a similar problem with the dataview that has been posted in the LTNinja thread, it is showing the same machine as unpatched even though it has KB4012212 installed.Not sure if the two are related. Again, that shows around 50% of my machines as being patched but loads as missing even though I know that they have the relevant hotfixes installed.

 

Any ideas?

 

Thanks

 

Ollie

Link to post
Share on other sites
Disregard this, it looks like it is flagging any recent cumulative update as a success.

 

I am still troubleshooting the issue, but it appears that the -and at

else {$xx = $xx|Where-Object {$_ -match 'KB({%^tp:kbid_ms17_010^%})' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|201[89]-[0-9]{2})|(Ma|A|Ju|[sOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -and $_ -match '(Security .*Rollup|Cumulative Update) for Windows')};

should be a -or reading

else {$xx = $xx|Where-Object {$_ -match 'KB({%^tp:kbid_ms17_010^%})' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|201[89]-[0-9]{2})|(Ma|A|Ju|[sOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -or $_ -match '(Security .*Rollup|Cumulative Update) for Windows')};

 

The -and is intended and correct. The detection logic is based on two methods, and straight KB# match of known KB's, and a name based matching that requires that the name indicate it is a cumulative/rollup update -AND has a recognizable date that can be parsed to verify it is from March or beyond. Using -OR would allow anything from any date with the words Security Rollup or Cumulative Update to be considered a suitable update, and that would definitely be incorrect.

Link to post
Share on other sites

So are the Win 10 1511 hotfixes missing from the included list?

 

May 9, 2017—KB4019473 (OS Build 10586.916)

April 11, 2017—KB4015219 (OS Build 10586.873)

March 22, 2017—KB4016636 (OS Build 10586.842)

March 14, 2017—KB4013198 (OS Build 10586.839) this one is in the list actually

Link to post
Share on other sites

Great work and the monitor is greatly appreciated! I have two agents that show as failed that are running W10 1703 so I know both have the required updates. Only thing that is different about these two agents is that they use W10 Enterprise. I'm cool with it it my case and no one else has mentioned. contact me if you need more details.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...