AnalyticsCmdlets.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<#
.SYNOPSIS
 This cmdlet checks if the tenant has signs of having a network configuration problem preventing
    the proper local validation of publisher certificates.
     
    It will offer to automatically set affected detections to "Reviewed" status, and add a helpful comment.
#>

function Invoke-CylanceIssuerSignatureMissingWizard()
{
    $rulesInstigating = @(
        "Unsigned Application Network Beaconing",
        "Oversized Image File",
        "Cylance Security Masquerader",
        "Internet Browser With Suspicious Parent"
    )
    $rulesTarget = @(
        "Cylance Security Masquerader",
        "Process Without Common Executable Extension",
        "Intentional File Name Confusion",
        "Internet Browser Launched Unsigned Process",
        "Office Launched Unsigned Process",
        "Suspicious OS Process Owner",
        "Suspicious OS Process Image Path"
    )

    $allrules = $rulesTarget + $rulesInstigating

    $a = (Get-CylanceCachedDetections -Detailed |
        Select-CylanceDetection -Rule $rulesInstigating |
        Where-Object { ($_ | Get-CylanceArtifact -Source "Instigating Process Image File").FileSignature.SignatureStatus -eq "IssuerSignatureMissing" })

    $b = (Get-CylanceCachedDetections -Detailed |
        Select-CylanceDetection -Rule $rulesTarget |
        Where-Object { ($_ | Get-CylanceArtifact -Source "Target Process Image File").FileSignature.SignatureStatus -eq "IssuerSignatureMissing" })

    Write-Host "Detections with problem in instigating process: $($a.count)"
    Write-Host "Detections with problem in target process: $($b.count)"
    $c = Get-CylanceCachedDetections | Select-CylanceDetection -Rule $allrules
    Write-Host "Total detections examined: $($c.Count)"
    $t = Get-CylanceCachedDetections
    Write-Host "Total detections in tenant: $($t.Count)"
    $percentage = ($a.Count + $b.Count) / $t.Count
    Write-Host ("Percentage affected: {0:p}" -f $percentage)

    Set-Variable -Name DetectionsTypeA -Scope Global -Value $a
    Set-Variable -Name DetectionsTypeB -Scope Global -Value $b

    if ($percentage -gt 5) {
        Write-Host "More than 5% affected devices - this typically means the tenant is affected."
    } else {
        Write-Host "Less than 5% affected devices - this can mean the tenant is partially affected, e.g. only for certain sites or clients, or that agents are roaming a lot to networks where they do have the necessary access to cache the required certificates."
    }

    Write-Host "Based on these results, do you want to automatically mark affected detections as 'Reviewed' (Y/N)?"

    $answer = $host.UI.ReadLine()

    if ($answer -like "Y*") {

        if ($DetectionsTypeA -ne $null) {
            Write-Host "Fixing type 'Instigating Process Image File' type detections."
            $DetectionsTypeA | Update-CylanceDetection -Status Reviewed -Comment "This is a detection likely to be caused by missing WinHTTP network configuration when WinHTTP/CryptoAPI is unable to validate a publisher certificate. The publisher certificate may be valid, but the local system could not validate the signature's authenticity as a result."
        }
        if ($DetectionsTypeB -ne $null) {
            Write-Host "Fixing type 'Target Process Image File' type detections."
            $DetectionsTypeB | Update-CylanceDetection -Status Reviewed -Comment "This is a detection likely to be caused by missing WinHTTP network configuration when WinHTTP/CryptoAPI is unable to validate a publisher certificate. The publisher certificate may be valid, but the local system could not validate the signature's authenticity as a result."
        }
    }
}