Jump to content
LTNinja

LTNinja - Patch SMBv1 - MS17-010 - KB4013389 - Wannacry Ransomware

Recommended Posts

Hey everyone,

 

With the crazy zero-day ransomware WannaCry evil-ness. I scripted out the downloads of pre-reqs by OS. As always, I and LTNinja are not responsible for any issues caused directly\indirectly by this script or the updates it deploys. Enjoy! (I hope it can save you time and get your client environments secured before it's too late!)

 

Windows 7, Windows 8, Windows 10(All three major builds - different updates for each), Server 2008, Server 2008R2, Server 2012, Server 2012R2, and Server 2016. (Added Win XP SP3, Vista, and server 2003)

 

Please let me know if you run into any challenges or find issues with the script so that we can improve it for the entire community.

 

Here is V11 - it adds some corrections from Darren White and includes a tasklist check that verifies WUSA is no longer running. It can occasionally run endlessly with no impact to endpoint except no patching. Keep in mind, I have barely tested this one yet.

 

 

 

Please test this automation before rolling it out to everything that needs it.

 

I have a brute forced reboot method, a prompt version, and a no-reboot option. (Test each, report issues)

 

Multiple reboots may occur. (6 updates for Win 7 and Server 2008 R2)

 

Positive regards,

Joshua

 

http://www.LTNinja.com

Joshua.Preston@LTNinja.com

LTNinja - Patch SMBv1 - KB4013389 v7 Brute Force.zip

LTNinja - Patch SMBv1 - MS17-010 - KB4013389 - V10 User Prompt.zip

LTNinja - Patch SMBv1 - v11.zip

Edited by Guest

Share this post


Link to post
Share on other sites

Here's some scripts to disable the propagation vector (SMBv1), which you should be disabling as SOP anyway per https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

 

Disabling SMBv1 limits the vector. Enabling it lets you trudge along until you can update the software or piece of trash integration that still requires SMBv1 - which should be nothing in a properly managed modern network =D

SMBv1 Disable and Enable.zip

Edited by Guest

Share this post


Link to post
Share on other sites

I have another update to it. I am reducing the timers because they are a little excessive :) Can lead to long script run-times.

 

-Joshua

Share this post


Link to post
Share on other sites

Compliments of Martyn from the LabTech Geek Slack (And the guy who runs this forum)

 

Enjoy :)

 

SELECT * FROM computers WHERE computerid IN (SELECT DISTINCT c.`computerID`

FROM computers c

JOIN hotfix h USING (computerid)

JOIN hotfixdata hd ON h.HotFixID = hd.HotFixID

JOIN agentcomputerdata acd USING (computerid)

WHERE hd.kbID IN ('4012598','4012216','4012213','4012217','4012214','4012215','4012212','4013429','4012606','4013198','4019472','4015217','4016635','4015438','4013429', '4019264','4019263','4015552','4015546','4015549','4012218','4012215')

AND h.Installed = 0)

Share this post


Link to post
Share on other sites

I am going to update the script to include the rollups. I also plan to release a version of the script that includes outdated WUA updates. Kind of a hybrid script since many businesses are okay with reboots today. (Take care of more than just one problem)

 

-Joshua

Share this post


Link to post
Share on other sites

I would like to turn this sql query into a Search or Dataview. Is there a way to import this into LT somehow? Great query!

 

Compliments of Martyn from the LabTech Geek Slack (And the guy who runs this forum)

 

Enjoy :)

 

SELECT * FROM computers WHERE computerid IN (SELECT DISTINCT c.`computerID`

FROM computers c

JOIN hotfix h USING (computerid)

JOIN hotfixdata hd ON h.HotFixID = hd.HotFixID

JOIN agentcomputerdata acd USING (computerid)

WHERE hd.kbID IN ('4012598','4012216','4012213','4012217','4012214','4012215','4012212','4013429','4012606','4013198','4019472','4015217','4016635','4015438','4013429', '4019264','4019263','4015552','4015546','4015549','4012218','4012215')

AND h.Installed = 0)

Share this post


Link to post
Share on other sites

V6 is now up - drinkxon, if no one gets something up to help with this. (A monitor\dataview\search etc) I will get it after I get a little sleep. (I have been going at WannaCry since yesterday and have yet to sleep)

Share this post


Link to post
Share on other sites

Here's some queries that will help create an appropriate dataview.

 

Run this if you got an earlier revision from this post:

DELETE FROM dataviews WHERE NAME='MS17-010 Status';

 

To actually (re)create the dataview, run this:

INSERT INTO
  `dataviews` (`Name`, `FieldList`, `ColumnList`, `HiddenList`, `SQLBody`, `IDColumn`, `SQLWhere`, `FolderID`, `ClientLink`, `ComputerLink`, `SortField`, `GroupField`, `SortOrder`, `FilterControl`, `FormatControl`, `LocationLink`, `IconControl`, `SystemPermission`, `UserClassName`, `GUID`, `SystemPermissionHigh`) 
VALUES
  (
     'MS17-010 Status', 'Contacts.ContactID as `ContactID`, CONCAT(Contacts.FirstName;;\' \';;Contacts.LastName) as `Contact`, Contacts.Email as `Contact Email`, Contacts.Phone as `Contact Phone`, Contacts.Cell as `Contact Cell`, Contacts.Address1 as `Contact Address1`, Contacts.Address2 as `Contact Address2`, Contacts.City as `Contact City`, Contacts.State as `Contact State`, Contacts.Zip as `Contact Zipcode`, Contacts.Fax as `Contact Fax`, Contacts.Pager as `Contact Pager`, Contacts.MSN as `Contact MSN`, Contacts.AIM as `Contact AIM`, Contacts.ICQ as `Contact ICQ`, Contacts.NetBiosName as `Contact Netbios`, Computers.Version as `Agent OS Version`, Computers.ServiceVersion as `Agent Version`, computers.Comment as `Agent Comment`, Computers.LastContact as `Agent Last Contact Date`, Computers.LastInventory as `Agent Last Inventory Date`, Computers.CPUUsage as `Agent CPU Usage`, Computers.TotalMemory as `Agent Memory Total`, Computers.MemoryAvail as `Agent Memory Avail`, Computers.RouterAddress as `Agent Router Address`, Computers.Uptime as `Agent Uptime`, Computers.DataIn as `Agent Bytes IN`, Computers.DataOut as `Agent Bytes Out`, Computers.MAC as `Agent MAC`, Computers.DateAdded as `Agent Install Date`, Computers.BiosName as `Agent Mainboard`, Computers.BiosVer as `Agent Serial Number`, Computers.BiosFlash as `Agent Bios`, Computers.Name as `Agent Name`, Convert(IF(INSTR(Computers.Username;;\';;\')>0;;LEFT(Computers.Username;;Instr(Computers.UserName;;\';;\')-1);;Computers.Username) using utf8) as `Agent User`, Computers.OS as `Agent Operating System`, Computers.Domain as `Agent Windows Domain`, Computers.BiosMFG as `Agent Manufacturer`, Computers.LocalAddress as `Agent IP Address`, Computers.AssetTag as `Agent Asset Tag`, Computers.AssetDate as `Agent Asset Date`, Locations.LocationID as `LocationID`, CONCAT(Clients.Name;;\'/\';;Locations.Name) as `Client Location`, Locations.Name as `Location Name`, Locations.Address as `Location Address`, Locations.Address2 as `Location Address2`, Locations.City as `Location City`, Locations.State as `Location State`, Locations.Zip as `Location Zipcode`, Locations.Phone as `Location Phone`, Locations.Fax as `Location Fax`, Locations.Country as `Location Country`, Locations.Router as `Location Router`, Locations.RouterPort as `Location Router Port`, Clients.ClientID as `ClientID`, Clients.Name as `Client Name`, Clients.Address1 as `Client Address`, Clients.City as `Client City`, Clients.State as `Client State`, Clients.Zip as `Client Zipcode`, Clients.Address2 as `Client Address2`, CONVERT(IF(Clients.SupportMins>0;;Clients.SupportMins;;IF(Clients.SupportMins=0;;\'None\';;\'Unlimited\')) using UTF8) as `Client SupportMins`, Clients.Phone as `Clients Phone`, Clients.Fax as `Clients Fax`, Clients.Country as `Clients Country`, IF((SELECT IFNULL(`Value`;;0) FROM patchmanagersettings WHERE `Name`=\'IsUsingNewPatching\' LIMIT 1)=1;;IF(hotfix.Success=1;;\'Automate\';;IF(hotfix.Installed=1;;\'N/A\';;\'Not Installed\'));;IF(Hotfix.Pushed=1;;\'Automate\';;IF(Hotfix.Installed=1;;\'N/A\';;\'Missing\'))) as `Hotfix Install Method`, hotfix.InstallDate as `Hotfix Install Date`, IF((SELECT IFNULL(`Value`;;0) FROM patchmanagersettings WHERE `Name`=\'IsUsingNewPatching\' LIMIT 1)=1;;ELT(hotfix.Approved+1;;\'Not Set\';;\'Ignore\';;\'Approve\';;\'Remove\';;\'Deny\');;ELT(hotfix.Approved+2;;\'Remove\';;\'Not Set\';;\'Approve\';;\'Ignore\';;\'Deny\')) as `Hotfix Approved`, IF(Hotfix.Installed=1;;\'Installed\';;\'Missing\') as `Hotfix Installed`, HotFixData.Title as `Hotfix Title`, HotFixData.DownloadURL as `Hotfix Download URL`, CONCAT(\'KB\';;HotFixData.KBID) as `Hotfix KB Article`, HotFixData.Description as `Hotfix Description`, HotFixData.SupportURL as `Hotfix Support URL`, HotFixData.Severity as `Hotfix Severity`, HotFixData.CategoryName as `Hotfix Category`, HotFixData.PatchType as `Hotfix Patch Type`, HotFixData.Uninstall as `Hotfix Uninstallable`, HotFixData.Date_Added as `Hotfix Date Added`', 'Agent Name,Hotfix KB Article,Hotfix Category,Hotfix Title,Hotfix Installed', '', 'FROM (((((hotfix JOIN hotfixdata ON hotfix.hotfixid=hotfixdata.hotfixid) LEFT JOIN computers ON hotfix.computerid=computers.computerid) LEFT JOIN locations ON computers.locationid=locations.locationid) LEFT JOIN clients ON computers.clientid=clients.clientid) LEFT JOIN contacts ON computers.contactid=contacts.contactid)', 'hotfix.hotfixid', 'hotfixdata.kbID IN (\'4012598\',\'4012216\',\'4012213\',\'4012217\',\'4012214\',\'4012215\',\'4012212\',\'4013429\',\'4012606\',\'4013198\',\'4019472\',\'4015217\',\'4016635\',\'4015438\',\'4013429\', \'4019264\',\'4019263\',\'4015552\',\'4015546\',\'4015549\',\'4012218\',\'4012215\')', (SELECT folderid FROM dataviewfolders WHERE NAME='Patching' LIMIT 1), 'Computers.clientid', 'computers.computerid', 'Hotfix KB Article', '', '0', '', 'Agent CPU Usage,A,,,2,,0,,%,3,90,1,FF0000,,1|Agent Memory Total,A,,,1,,0,,mb|Agent Memory Avail,A,,,1,,0,,mb|Agent Uptime,A,,,1,,0,, mins|Agent MAC,A,,,2,,0,,|Hotfix Approved,A,,,2,,0,,|Hotfix Installed,A,,,2,,0,,,1,Missing,1,,,1|Hotfix Severity,A,,,2,,0,,|Hotfix Category,A,,,2,,0,,|', 'computers.locationid', '107|', '0', '', '91724e6e-a647-4aa6-8600-4435f1da6535', '0'
  )
;

Edited by Guest

Share this post


Link to post
Share on other sites

@Meta - I got an error on this.

 

 

1 queries executed, 0 success, 1 errors, 0 warnings

 

Query: Insert Into Dataviews set name='MS17-010 Status',columnlist='Agent Name,Hotfix KB Article,Hotfix Category,Hotfix Title,Hotfix In...

 

Error Code: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')' at line 1

 

Execution Time : 0 sec

Transfer Time : 0 sec

Total Time : 0 sec

 

 

Here's a SQL query that will create a "MS17-010 Status" dataview in the Patching folder.

Share this post


Link to post
Share on other sites

Oh and um if it so happens after reloading your system cache that the dataview ends up NOT in the patching folder, but rather at the root of the dataviews folder tree, run this query and then reload your system cache:

UPDATE dataviews SET folderid=(SELECT folderid FROM dataviewfolders WHERE name='Patching' LIMIT 1) WHERE name='MS17-010 Status';

Edited by Guest

Share this post


Link to post
Share on other sites

Thanks for the update.

 

Question - Have you seen this in your findings? I've got a bunch of blank spaces on Client and Agent name.

Untitled.png.e37c3eff956ac9ff0c5a85d42da232e7.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×