Having had this vulnerability flagged to us, we needed to figure out a way to run the detection tool against our estate. This is tricky because the tool is pretty much stand-alone; it can’t natively write to a centralised file or anything, so each PC generates its own isolated log file.

Having determined it’s quite hard to write the log files to a centralised store, I went old skool & set up a group policy that runs this batch file:

md C:\Support
md C:\Support\Scripts
copy \\domain.fqdn\netlogon\INTEL-SA-00086\INTEL-SA-00086.ps1 C:\Support\Scripts
%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\Support\Scripts\INTEL-SA-00086.ps1

I’ve got this group policy attached to a WMI filter that negates Server OSs but it’s not necessary- servers can be just as vulnerable, but we did those manually and I’m reluctant to have junk copied automatically to all the servers without intervention.

Anyway, this creates a couple of folders at the root of C:\, copies a PowerShell script and runs it. The script is:

$result = Test-Path C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log

If($result -eq $false)
New-Item -Path "C:\" -Name "Support" -ItemType "directory" -ErrorAction SilentlyContinue
New-Item -Path "C:\Support" -Name "Intel" -ItemType "directory" -ErrorAction SilentlyContinue

Copy-Item -Path \\domain.fqdn\netlogon\INTEL-SA-00086 -Destination C:\Support\Intel -recurse -ErrorAction SilentlyContinue

Set-Location C:\Support\Intel\INTEL-SA-00086\DiscoveryTool

.\Intel-SA-00086-console.exe > C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log

$logFile = Get-Content C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log

$analysis = $logFile | Select-String "Based"

#Define hub transport server
$smtp_server = "smtp.server"

#Define email sender and recipient
$sender = "INTEL-SA-00086@primary.mail.domain"
$recipient = "user_1@primary.mail.domain","optional_user_2@primary.mail.domain"

#Define email subject and body
$msg_subject = "Analysis result of the SA-00086 detection tool on $env:ComputerName"
$msg_body_text = "Analysis result for $env:ComputerName is: $analysis`n`nThe script that generated this email is C:\Support\Intel\INTEL-SA-00086\INTEL-SA-00086.ps1"

#Send it
Send-MailMessage -to $recipient -from $sender -subject $msg_subject -body $msg_body_text -smtpserver $smtp_server -attachments C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log

And I’ve just noticed that the script uses PowerShell to create the same 2 folders the .cmd file creates. Oops. Anyway, the PS script:
* Initially checks to see if the log file it creates already exists;
* If it does, the script stops to avoid repeatedly sending the same data;
* It then creates a folder structure & copies the SA-00086 tool from a central location (netlogon is always handy) into this structure;
* It runs the tool & sends the output to a log file in the folder structure created above;
* It uses PowerShell to extract the contents of the log file, and identifies the string containing the analysis (vulnerable/ not vulnerable/ unsure);
* It puts this string into the body of the email & attaches the log file for completeness, then sends the email;
* The script uses $env:ComputerName throughout so each logfile is identified by the unique PC name;

That’s it- any collation of the data has to be done manually but you should end up with a vulnerability report from every device on your network, just once (hopefully).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s