Ryan2065 / Log4ShellDetection

MIT License
5 stars 1 forks source link

Enhancement for SCCM #3

Open funk0id opened 2 years ago

funk0id commented 2 years ago

This is incredibly useful, but I'm struggling to configure a config baseline in SCCM using the registry switch of the script.

The script creates the key Log4ShellDetection, but it does so whether something is found or not, and when found the subkeys are pretty random per machine from what I can see based on the files found across devices.

I don't seem to be able to find a way to check if any subkeys under Log4ShellDetection exist or not without knowing what those specific subkey names would be, so could there either be a general flag "vulnerable" key added directly under Log4ShellDetection if any vulnerable files are discovered?

That can then be used to flag vulnerability on a device under an SCCM configuration baseline and the subkeys reviewed manually to determine the specifics?

Edit - Although this would still be really nice, I've worked around it buy running the script as an application, I've set a configuration baseline script to then look for values under the subkey. To get the details you can then use CMPivot, which isn't ideal but better than nothing!

MaartenPauchet commented 2 years ago

Hi Funk0id,

you have to use a different set of parameters. I use a (slightly modified) version of this script for a CI in SCCM and it works find. You should specify the $OUTPUTTYPE = "CountVulnerable"

that will bring the feedback of the script back to just a number : the # of vulnerable files found on the device. You can the configure your CI and have the return value be an INTEGER. So compliance check should then be that the return value should be = 0. If that is not the case you can have the remediation run if you want but at least this will show properly in the reporting.

make sure to also set the following parameter defaults: TATOOREGISTRY = $true OUTPUTALL = $false (that will stop you from also seeing jar files reported that are not vulnerable) TRANSCRIPT = $false (personal choice) SKIPNETWORKDRIVES = $true (so mapped networks drives are not scanned as that will take even longer)

hope that helps

MaartenPauchet commented 2 years ago

Also note the difference in the registry output I made for my usage:

` If($VulnerableFiles.count -gt 0) { foreach($vFile in $OutputSet){ $TimeStamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss.fff" $TimeStampKey = $TimeStamp | foreach {$_ -replace ":","."}
$null = $Log4ShellDetectionKey.CreateSubKey($TimeStampKey)

$null = $Log4ShellDetectionKey.CreateSubKey($vFile.FileHash)

        $tempSubKey = $Log4ShellDetectionKey.OpenSubKey($TimeStampKey, $true)
        #$tempSubKey = $Log4ShellDetectionKey.OpenSubKey($vFile.FileHash, $true)
        $Log4ShellDetectionKey.SetValue("FilePath", "")
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "FilePath" -Value $vFile.FilePath
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "Vulnerable" -Value $vFile.Vulnerable
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "EmbeddedJarVulnerable" -Value $vFile.EmbeddedJarVulnerable
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "DetectedClass" -Value ($vFile.DetectedClass -join ",")
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "DetectedVersion" -Value ($vFile.DetectedVersion -join ",")
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "CVE" -Value ($vFile.CVE -join ",")
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "FileHash" -Value $vFile.FileHash
        Set-Log4ShellRegistryValue -Key $tempSubKey -Name "ParentJarPath" -Value $vFile.ParentJarPath
        set-Log4ShellRegistryValue -key $tempSubKey -name "DetectedDateTime" -value $TimeStamp
    }
} else {
    $TimeStamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $null = $Log4ShellDetectionKey.CreateSubKey("NotVulnerable")
    #$tempSubKey = $Log4ShellDetectionKey.OpenSubKey($TimeStamp, $true)
    $tempSubKey = $Log4ShellDetectionKey.OpenSubKey("NotVulnerable", $true)
    $Log4ShellDetectionKey.SetValue("FilePath", "")
    Set-Log4ShellRegistryValue -Key $tempSubKey -Name "Vulnerable" -Value "False"
    set-Log4ShellRegistryValue -key $tempSubKey -name "DetectedDateTime" -value $TimeStamp
}`

I change the name of the key from the HASH to a date-time because I noticed that if you have the same jar file in two different locations on the disk (so the hash is the same) you only get 1 entry in the registry and only the jar that was last detected is reported there, overwriting the identical jar previously found on another location.

I also added an extra "else" to write something like "notVulnerable" to the registry when a devices has no vulnerable files.

This way I can scoop up these keys into my SCCM HW inventory and also have a "DetectedDateTime" stamp for not vulnerable machines but knowing when they last scanned. That is better then not having them in the report and not knowing wether they are not vulnerable, or they just did not scan yet at all ...