Thanks for the reply. Oh! I am not aware about it. May I know how this payment works.
anyway i managed to create relevance. here is the one, hope it might help someone.
(exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012215 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012212 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012214 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012217 was successfully changed to the Installed state”) of event log “Setup”) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012213 was successfully changed to the Installed state”) of event log “Setup” ) or (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4012216 was successfully changed to the Installed state”) of event log “Setup”)
@Sreehari
You can hire the BigFix Product Professional Services (PPS) team through the regional contacts over here: http://ibm.biz/PPSBigFix
If anyone has been compromised by this worm, there is some hope. It’s happened faster than I expected, but it looks like the encryption has already been broken due to a flaw in the code. Don’t reboot your compromised host, and go read
Security researchers have a fix for victims of the ‘WannaCry’ ransomware
The decryptor source code is at https://github.com/gentilkiwi/wanakiwi/releases
Caveat: none of mine were compromised and I’ve not reviewed this utility.
I wanted to share a couple other analyses I have been using in trying to look for indicators of compromise:
(exists running application “tasksche.exe”) or (exists running application “mssecsvc.exe”)
Based on my research, one of these processes should run when the ransomware is trying to encrypt the disk.
exists files whose ((name of it as lowercase = “tasksche.exe”)) of (folder it; descendant folders of folder it) of (“c:\programdata”; “”) whose (exists folder it)
This is looking for that exe which is reported to live in a random generated child folder of c:\programdata. This doesn’t run often, as it is a recursive check of child folders and could take some time and resources. Basically if this returns True, we are treating it as a possibly compromised system.
exists files whose ((name of it as lowercase = “mssecsvc.exe” or name of it as lowercase = “tasksche.exe”)) of (folder it) of (“c:\windows”; “”) whose (exists folder it)
Checks for other locations of the offending executables. Basically if this returns True, we are treating it as a possibly compromised system.
1 Like
Please note the following fixlets have been released providing an alternative method to patching that will help defend systems against the WannaCry malware:
From: autonotify@us.ibm.com
To: bigfix-announcements@bigmail.bigfix.com
Date: 05/24/2017 05:04 AM
Subject: [BigFix-Announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Patches for Windows'
Sent by: "BigFix-Announcements" <bigfix-announcements-bounces@bigmail.bigfix.com>
--------------------------------------------------------------------------------
Fixlet Site - 'Patches for Windows'
Current Version: 2764 Published: Wed, 24 May 2017 02:18:56 GMT
New Fixlets:
============
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Disable SMB v1) - Windows 7 / Windows 8 / Windows Vista / Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 - KB2696547
Severity: Unspecified
Fixlet ID: 269654701
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will disable SMBv1 on Windows and Windows Servers, providing the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the installation of this update. Machine with SMBv1 disabled will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Disable Workaround (Disable SMB v1) - Windows 7 / Windows 8 / Windows Vista / Windows Server 2008 / Windows Server 2008 R2 / Windows Server 2012 - KB2696547
Severity: Unspecified
Fixlet ID: 269654703
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will install SMBv1 on Windows and Windows Servers, providing the method for customers who have removed SMBv1 to restore the SMBv1 service. Disabling SMBv1 on Windows and Windows Servers provides the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the disabling of SMB v1. Machine with SMBv1 disabled will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Enable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547
Severity: Unspecified
Fixlet ID: 269654705
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will remove SMBv1 on Windows and Windows Servers, providing the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the installation of this update. Machine with SMBv1 removed will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
***************************************************************
Title: 2696547: Disable SMBv1 in Windows and Windows Server - Disable Workaround (Remove SMB v1 completely) - Windows 8.1 / Windows 10 / Windows Server 2012 R2 / Windows Server 2016 - KB2696547
Severity: Unspecified
Fixlet ID: 269654707
Fixlet Link: https://support.microsoft.com/kb/2696547
Fixlet Description: This fixlet will install SMBv1 on Windows and Windows Servers, providing the method for customers who have removed SMBv1 to restore the SMBv1 service. Removing SMBv1 on SMB servers provides the alternative method for customers who can not apply MS17-010 patch. This security update MS17-010 resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.Note: Affected computers may report back as 'Pending Restart' once the update has run successfully, but will not report back their final status until the computer has been restarted.
Important Note: There are known issues associated with the removing of SMB v1. Machine with SMBv1 removed will not be able to access files and folders on Windows Server 2003, which can only negotiate SMBv1. For more information please review The Derecation of SMBv1.
_______________________________________________
BigFix-Announcements mailing list
BigFix-Announcements@bigmail.bigfix.com
https://bigmail.bigfix.com/mailman/listinfo/bigfix-announcements
Unsubscribe (Confirmation email will be sent):
<https://bigmail.bigfix.com/mailman/options/bigfix-announcements/langridg%40us.ibm.com?login-unsub=1>
Any votes for this RFE?
Additional content to detect Windows vulnerabilities (which can be mitigated through patching)
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=105294
So it sounds like there are a few ways to handle this. One analysis mentioned at WannaCry Vulnerability: Custom Analysis created to detect for Vulnerability referenced in MS17-010 and then this thread uses the following code if not exists keys whose( exists ( (name of it), ("KB4012212";"KB4012215";"KB4015549";"KB4019264";"KB4012213";"KB4012216";"KB4015550";"KB4019215";"KB4012606";"KB4015221";"KB4019474";"KB4013198";"KB4015219";"KB4019473";"KB4015438";"KB4015217";"KB4019472") ) whose(item 0 of it contains item 1 of it) ) of keys ("Windows\CurrentVersion\Uninstall";"Windows\CurrentVersion\Component Based Servicing\Packages";"WindowsNT\CurrentVersion\Hotfix") of keys "HKLM\SOFTWARE\Microsoft" of (x32 registries;x64 registries) then "Not Patched" else "Patched" (Modified a bit for our environment). Lastly there’s this method WannaCry Relevancy (duplicate) Do all of these methods work, and if so is there a preferred way of doing this?