-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathVerifyEternalBlue.ps1
188 lines (151 loc) · 5.18 KB
/
VerifyEternalBlue.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<#
.SYNOPSIS
Check if remote computers are patched against EternalBlue.
.DESCRIPTION
EternalBlue is used as a propagation mechanism.
Patching the system does not mean that it is protected against the encryption routine.
However, it means that the system is protected against the "wormness" of recent WannaCry's variant.
.PARAMETER InputFile
Path of the file containing hostnames to be checked for EternalBlue patch
.INPUTS
[Optional] InputFile
.OUTPUTS
Log file created
.NOTES
Version: 0.1
Author: Cassius Puodzius
Creation Date: 14/05/2017
Purpose/Change: Initial script development
.EXAMPLE
<Example goes here. Repeat this attribute for more than one example>
#>
Param (
[Parameter(Mandatory=$True)][string]$InputFile,
[Parameter(Mandatory=$False)][switch]$GetCredential)
#---------------------------------------------------------[Initializations]--------------------------------------------------------
#Set Error Action to Silently Continue
$ErrorActionPreference = "SilentlyContinue"
# Get credential (if required so)
If($GetCredential) {
$Credential = Get-Credential
}
# Get current Timestamp
$Timestamp = get-date -Format yMMddhhmmss
#Dot Source required Function Libraries
. .\Logging_Functions.ps1
#----------------------------------------------------------[Declarations]----------------------------------------------------------
# Microsoft Security Bulletin MS17-010
# ref: https://technet.microsoft.com/library/security/MS17-010
$KBList = (
"KB4012212",
"KB4012213",
"KB4012214",
"KB4012215",
"KB4012216",
"KB4012217",
"KB4012598",
"KB4012606",
"KB4013198",
"KB4013429"
)
# Windows 10 and Windows Server 2016 updates are cumulative.
# The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.
# Cumulative KBs for Windows 10 and Windows Server 2016:
#
# From KB4012606
# ref: http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=6a38fe85-98ba-4ce2-b4eb-aed947d5c203
# As of May 17, 2017:
#
# 2017-05 Cumulative Update for Windows 10 for x86-based Systems (KB4019474)
# Cumulative Update for Windows 10 (KB4015221)
# Cumulative Update for Windows 10 (KB4016637)
#
KBList.Add("4019474")
KBList.Add("4015221")
KBList.Add("4016637")
# From KB4013198
# ref: http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=6d9f75f7-d998-4188-a935-7603f4e51a4d
# As of May 17, 2017:
#
# Cumulative Update for Windows 10 Version 1511 (KB4015219)
# Cumulative Update for Windows 10 Version 1511 (KB4016636)
# Cumulative Update for Windows 10 Version 1511 (KB4019473)
#
KBList.Add("4015219")
KBList.Add("4016636")
KBList.Add("4019473")
# From KB4013429
# ref: http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=724ee219-b949-4d44-9e02-e464c6062ae4
# As of May 17, 2017:
#
# 2017-05 Cumulative Update for Windows 10 Version 1607 for x86-based Systems (KB4019472)
# Cumulative Update for Windows 10 Version 1607 (KB4015217)
# Cumulative Update for Windows 10 Version 1607 (KB4015438)
# Cumulative Update for Windows 10 Version 1607 (KB4016635)
#
KBList.Add("4019472")
KBList.Add("4015217")
KBList.Add("4015438")
KBList.Add("4016635")
# From: WannaCrypt Ransomware Customer Guidance: https://static.spiceworks.com/attachments/post/0017/5996/CustomerReady_WannaCrypt_Guidance.pdf
# TODO: Get short list of KBs needed to check for EternalBlue patch
#
KBList.Add("4015549")
KBList.Add("4015550")
KBList.Add("4015551")
KBList.Add("4019215")
KBList.Add("4019216")
KBList.Add("4019264")
#Script Version
$sScriptVersion = "0.1"
$sScriptName = "VerifyEternalBlue"
#Log File Info
$sLogPath = $Env:TEMP
$sLogName = "$($sScriptName)_$($Timestamp).log"
$sLogFile = Join-Path -Path $sLogPath -ChildPath $sLogName
#-----------------------------------------------------------[Execution]------------------------------------------------------------
Log-Start -LogPath $sLogPath -LogName $sLogName -ScriptVersion $sScriptVersion
If($InputFile) {
$Hostnames = Get-Content $InputFile
}
#TODO: Implement Get-ADComputers -Computers
ForEach($Hostname in $Hostnames) {
Write-Host "Checking connection to $Hostname..."
If(-not (Test-Connection -ComputerName $Hostname)) {
$LogMessage = "$Hostname is unreachable"
Write-Host $LogMessage
Log-Error -LogPath $sLogFile -ErrorDesc $LogMessage -ExitGracefully $False
Continue
}
Write-Host "`tGetting HotFix list..."
If($GetCredential) {
$HotFixList = Get-HotFix -ComputerName $Hostname -Credential $Credential
}
Else {
$HotFixList = Get-HotFix -ComputerName $Hostname
}
$Patched = $False
ForEach($Entry in $HotFixList) {
ForEach($KB in $KBList) {
If($Entry -Like "*$KB*") {
$Patched = $True
Break
}
If($Patched) {
Break
}
}
}
If($Patched) {
$LogMessage = "`tComputer $Hostname is patched against EternalBlue ($KB)"
Write-Host $LogMessage
Log-Write -LogPath $sLogFile -LineValue $LogMessage
}
Else {
$LogMessage = "`tComputer $Hostname is vulnerable to EternalBlue"
Write-Host $LogMessage
Log-Write -LogPath $sLogFile -LineValue $LogMessage
}
}
Log-Finish -LogPath $sLogFile
Write-Host "Logfile created at $Logfile"