Test-WannaCryVulnerability.ps1

<#PSScriptInfo
 
.Version
    2.0
.Guid
    477aa3f4-0434-4925-9c92-7323066cceb7
.Author
    Thomas J. Malkewitz @dotps1
.Tags
    WannaCry, SMB1, Malware
.ProjectUri
    https://github.com/dotps1/PSFunctions
.ReleaseNotes
    Per Lee Holmes (@lee_holmes) there is still a needed patch for Windows 10 1602 and prior. Added Operating System Version to returned object.
 
#>


<#
 
.Synopsis
    Tests for WannaCry vulnerabilities.
.Description
    Test for applicable patches to prevent the WannaCry malware. Tests for SMB1 protocol and component.
.Inputs
    System.String
    Microsoft.Management.Infrastructure.CimSession
.Outputs
    System.Management.Automation.PSCustomObject
.Parameter ComputerName
    System.String
    ComputerName to test.
.Parameter Credential
    System.Management.Automation.PSCredential
    Credential to test with.
.Parameter CimSession
    Microsoft.Management.Infrastructure.CimSession
    CimSession to test.
.Example
    PS C:\> Test-WannaCryVulnerability
 
    PSComputerName : myrig
    OperatingSystemCaption : Microsoft Windows 7 Professional
    OperatingSystemVersion : 6.1.7601
    Vulnerable : False
    AppliedHotFixIds : KB4012212|KB4015546|KB4015549
    SMB1FeatureEnabled : False
    SMB1ProtocolEnabled : False
.Example
    PS C:\> Get-ADComputer -Identity workstation | Test-WannaCryVulnerability
 
    PSComputerName : workstation
    OperatingSystemCaption : Microsoft Windows 7 Professional
    OperatingSystemVersion : 6.1.7601
    Vulnerable : True
    AppliedHotFixIds :
    SMB1FeatureEnabled : False
    SMB1ProtocolEnabled : True
.Notes
    Not applicable to windows 10.
.Link
    https://www.redsocks.eu/news/ransomware-wannacry/
.Link
    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
.Link
    https://dotps1.github.io
.Link
    https://www.powershellgallery.com/packages/New-ADUserName
.Link
    https://grposh.github.io
 
#>



[CmdletBinding(
    DefaultParameterSetName = "ByComputerName"
)]
[OutputType(
    [PSCustomObject]
)]

param (
    [Parameter(
        ParameterSetName = "ByComputerName",
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true
    )]
    [ValidateScript({
        if (Test-Connection -ComputerName $_ -Count 1 -Quiet) {
            return $true
        } else {
            throw "Failed to contact '$_'."
        }
    })]
    [Alias(
        "ComputerName"    
    )]
    [String[]]
    $Name = $env:COMPUTERNAME,

    [Parameter(
        ParameterSetName = "ByComputerName"
    )]
    [System.Management.Automation.PSCredential]
    $Credential = [PSCredential]::Empty,

    [Parameter(
        ParameterSetName = "ByCimSession",
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true
    )]
    [Microsoft.Management.Infrastructure.CimSession[]]
    $CimSession
)

begin {
    $hotFixIDs = @(
        "KB3205409", 
        "KB3210720", 
        "KB3210721", 
        "KB3212646", 
        "KB3213986", 
        "KB4012212", 
        "KB4012213", 
        "KB4012214", 
        "KB4012215", 
        "KB4012216", 
        "KB4012217", 
        "KB4012218", 
        "KB4012220", 
        "KB4012598", 
        "KB4012606", 
        "KB4013198", 
        "KB4013389", 
        "KB4013429", 
        "KB4015217", 
        "KB4015438", 
        "KB4015546", 
        "KB4015547", 
        "KB4015548", 
        "KB4015549"
    )
}

process {
    switch ($PSCmdlet.ParameterSetName) {
        "ByComputerName" { 
            foreach ($nameValue in $Name) {
                try {
                    Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using WMI" -CurrentOperation "Retrieve operating system information" -PercentComplete 20
                    $osInformation = Get-WmiObject -ComputerName $nameValue -Class Win32_OperatingSystem -Property Caption, Version -Credential $Credential -ErrorAction Stop
                } catch {
                    Write-Error -Message "Failed to query WMI on '$nameValue'." -RecommendedAction "Verify WMI access is not being blocked by the firewall."
                    continue
                }

                if ([Version]$osInformation.Version -ge [Version]"10.0.15063") {
                    Write-Warning -Message "$($osInformation.Caption) $($osInformation.Version) is not vulnerable to the WannaCry Exploit."
                    continue
                }

                # HotFixes
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using WMI" -CurrentOperation "Inventory hotfix information" -PercentComplete 40
                $appliedHotFixIds = (Get-WmiObject -ComputerName $nameValue -Class Win32_QuickFixEngineering -Credential $Credential).Where({
                    $_.HotFixID -in $hotFixIDs
                }).HotFixID

                #SMB1 Feature
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using WMI" -CurrentOperation "Retrieve SMB1 feature installation status" -PercentComplete 60
                $smb1Feature = Get-WmiObject -ComputerName $nameValue -Class Win32_OptionalFeature -Property InstallState -Filter "Name = 'SMB1Protocol'" -Credential $Credential |
                    Select-Object -ExpandProperty InstallState

                if ($optionalFeature -eq 1) {
                    $smb1FeatureEnabled = $true
                } else {
                    $smb1FeatureEnabled = $false
                }

                #SMB1 Protocol
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using WMI" -CurrentOperation "Retrieve SMB1 protocol status" -PercentComplete 80
                $smb1Protocol = Invoke-WmiMethod -ComputerName $nameValue -Class StdRegProv -Name GetDwordValue -ArgumentList @( [uint32]2147483650, "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", "SMB1" ) -Credential $Credential |
                    Select-Object -ExpandProperty uValue

                if ($smb1Protocol -eq 0) {
                    $smb1ProtocolEnabled = $false
                } else {
                    $smb1ProtocolEnabled = $true
                }
                
                # Vulnerable?
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using WMI" -CurrentOperation "Determine vulnerability status" -PercentComplete 100
                if ($appliedHotFixIds.Count -gt 0 -and -not $smb1FeatureEnabled -and -not $smb1ProtocolEnabled) {
                    $vulnerable = $false
                } else {
                    $vulnerable = $true
                }

                $output = [PSCustomObject]@{
                    PSComputerName = $nameValue
                    OperatingSystemCaption = $osInformation.Caption
                    OperatingSystemVersion = $osInformation.Version
                    Vulnerable = $vulnerable
                    AppliedHotFixIds = $appliedHotFixIds -join "|"
                    SMB1FeatureEnabled = $smb1FeatureEnabled
                    SMB1ProtocolEnabled = $smb1ProtocolEnabled
                }

                Write-Output -InputObject $output
            }
        }
        
        "ByCimSession" {
            foreach ($cimSessionValue in $CimSession) {
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using CIM" -CurrentOperation "Retrieve operating system caption" -PercentComplete 20
                $osInformation = Get-CimInstance -CimSession $cimSessionValue -ClassName Win32_OperatingSystem -Property Caption, Version

                if ([Version]$osInformation.Version -ge [Version]"10.0.15063") {
                    Write-Error -Message "$($osInformation.Caption) $($osInformation.Version) is not vulnerable to the WannaCry Exploit."
                    continue
                }

                # HotFixes
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using CIM" -CurrentOperation "Inventory hotfix information" -PercentComplete 40
                $appliedHotFixIds = (Get-CimInstance -CimSession $CimSession -ClassName Win32_QuickFixEngineering).Where({
                    $_.HotFixID -in $hotFixIDs
                }).HotFixID


                #SMB1 Feature
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using CIM" -CurrentOperation "Retrieve SMB1 feature installation status" -PercentComplete 60
                $smb1Feature = Get-CimInstance -CimSession $cimSessionValue -ClassName Win32_OptionalFeature -Property InstallState -Filter "Name = 'SMB1Protocol'" |
                    Select-Object -ExpandProperty InstallState

                if ($optionalFeature -eq 1) {
                    $smb1FeatureEnabled = $true
                } else {
                    $smb1FeatureEnabled = $false
                }

                # SMB1 Protocol
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using CIM" -CurrentOperation "Retrieve SMB1 protocol status" -PercentComplete 80
                $smb1Protocol = Invoke-CimMethod -CimSession $cimSessionValue -ClassName StdRegProv -MethodName GetDwordValue -Arguments @{ hDefKey = [uint32]2147483650; sSubKeyName = "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"; sValueName = "SMB1" } |
                    Select-Object -ExpandProperty uValue

                if ($smb1Protocol -eq 0) {
                    $smb1ProtocolEnabled = $false
                } else {
                    $smb1ProtocolEnabled = $true
                }

                # Vulnerable?
                Write-Progress -Activity "Testing '$nameValue' for WannaCry vulnerabilities using CIM" -CurrentOperation "Determine vulnerability status" -PercentComplete 100
                if ($appliedHotFixIds.Count -gt 0 -and -not $smb1FeatureEnabled -and -not $smb1ProtocolEnabled) {
                    $vulnerable = $false
                }

                $output = [PSCustomObject]@{
                    PSComputerName = $cimSessionValue.ComputerName
                    OperatingSystemCaption = $osInformation.Caption
                    OperatingSystemVersion = $osInformation.Version
                    Vulnerable = $vulnerable
                    AppliedHotFixIds = $appliedHotFixIds -join "|"
                    SMB1FeatureEnabled = $smb1FeatureEnabled
                    SMB1ProtocolEnabled = $smb1ProtocolEnabled
                }

                Write-Output -InputObject $output
            }
        }
    }
}