Having had this vulnerability flagged to us, we needed to figure out a way to run the detection tool against our estate. This is tricky because the tool is pretty much stand-alone; it can’t natively write to a centralised file or anything, so each PC generates its own isolated log file.
Having determined it’s quite hard to write the log files to a centralised store, I went old skool & set up a group policy that runs this batch file:
copy \\domain.fqdn\netlogon\INTEL-SA-00086\INTEL-SA-00086.ps1 C:\Support\Scripts
%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\Support\Scripts\INTEL-SA-00086.ps1
I’ve got this group policy attached to a WMI filter that negates Server OSs but it’s not necessary- servers can be just as vulnerable, but we did those manually and I’m reluctant to have junk copied automatically to all the servers without intervention.
Anyway, this creates a couple of folders at the root of C:\, copies a PowerShell script and runs it. The script is:
$result = Test-Path C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log
If($result -eq $false)
New-Item -Path "C:\" -Name "Support" -ItemType "directory" -ErrorAction SilentlyContinue
New-Item -Path "C:\Support" -Name "Intel" -ItemType "directory" -ErrorAction SilentlyContinue
Copy-Item -Path \\domain.fqdn\netlogon\INTEL-SA-00086 -Destination C:\Support\Intel -recurse -ErrorAction SilentlyContinue
.\Intel-SA-00086-console.exe > C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log
$logFile = Get-Content C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log
$analysis = $logFile | Select-String "Based"
#Define hub transport server
$smtp_server = "smtp.server"
#Define email sender and recipient
$sender = "INTEL-SAemail@example.com"
$recipient = "firstname.lastname@example.org","email@example.com"
#Define email subject and body
$msg_subject = "Analysis result of the SA-00086 detection tool on $env:ComputerName"
$msg_body_text = "Analysis result for $env:ComputerName is: $analysis`n`nThe script that generated this email is C:\Support\Intel\INTEL-SA-00086\INTEL-SA-00086.ps1"
Send-MailMessage -to $recipient -from $sender -subject $msg_subject -body $msg_body_text -smtpserver $smtp_server -attachments C:\Support\Intel\INTEL-SA-00086\$env:ComputerName.log
And I’ve just noticed that the script uses PowerShell to create the same 2 folders the .cmd file creates. Oops. Anyway, the PS script:
* Initially checks to see if the log file it creates already exists;
* If it does, the script stops to avoid repeatedly sending the same data;
* It then creates a folder structure & copies the SA-00086 tool from a central location (netlogon is always handy) into this structure;
* It runs the tool & sends the output to a log file in the folder structure created above;
* It uses PowerShell to extract the contents of the log file, and identifies the string containing the analysis (vulnerable/ not vulnerable/ unsure);
* It puts this string into the body of the email & attaches the log file for completeness, then sends the email;
* The script uses $env:ComputerName throughout so each logfile is identified by the unique PC name;
That’s it- any collation of the data has to be done manually but you should end up with a vulnerability report from every device on your network, just once (hopefully).