In case you’ve been under a rock: There’s a wee problem with ransomware, fueled by the public release of a handful of high quality access (exploit) and persistence (backdoor) utilities. Most recently, these have manifested in the form of the WannaCry and Petya epidemics. While good intelligence on Petya infection vectors and lateral movement techniques are in a state of flux, WannaCry and other attacks leveraging these offensive capabilities are better understood.
Some of the more damaging attacks are leveraging ETERNALBLUE, which exploits a vulnerability in the Microsoft Windows SMBv1 protocol implementation. A patch is available for the vulnerability, but there are clearly a significant number of unpatched systems in the wild.
Many of our customers operate in sectors such as healthcare delivery, pharmaceuticals, and manufacturing—sectors where legacy systems, geographically distributed systems, and growth through acquisition abound. In these industries and many others, systems management and security orchestration aren’t to the same level of operational maturity that we see in finance and technology. In any enterprise that faces these challenges, making changes may be possible, but is neither easy nor fast.
In the wake of WannaCry and other recent events, we were asked how the Carbon Black (Cb) Response platform could be leveraged to help mitigate the SMBv1 vulnerability in particular. We have a small arsenal of EDR-based automation and orchestration utilities on the shelf, many leveraging Cb Response’s Live Response functionality.
In this case, the task at hand is simple:
- Identify exposure by checking for the presence and/or value of the registry key governing SMBv1: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters (Source)
- Optionally disable SMBv1 by creating the key if necessary and setting the value to 0.
Of course, there’s a bit more to it than that. Live Response is extremely powerful—there’s very little that can’t be done using its REST API. However, it was never built for speed. So we added in some basic cross-platform threading, as well as an ability to target specific hosts based on hostname, IP or sensor group.
The only prerequisite for this is a working cbapi-python installation. Usage is simple. To survey for systems with SMBv1 enabled:
And to disable SMBv1:
Without further adieu, you can find the utility and basic documentation here. Updates and related utilities will likely be announced via Twitter: @kwm or @redcanary.