How to build a vulnerability scanner with PowerShell
If an urgent security issue isn’t patched, you can use a PowerShell vulnerability scanner to detect these threats in your Windows Server infrastructure to speed up mitigation efforts.
One of the most difficult tasks for any company is to identify vulnerabilities in applications and operating systems. This can be particularly difficult with emerging threats that cannot be easily remedied, such as B. the Log4Shell vulnerability. If time is of the essence, a custom PowerShell script can help with these scenarios.
PowerShell’s capabilities as a configuration tool are well known, but it also works well to identify potential vulnerabilities in systems like Windows Server. As a native Windows tool, PowerShell can access core operating system functions and .NET classes to query and identify security threats. You can load a .NET DLL into PowerShell to call functions or types within the component. For example, you can load the System.Net.dll file to resolve names to IP addresses.
$url = www.domain.com $ip = [System.Net.dll]::Resolve($name).AddressList $ip | Select-Object -ExpandProperty IPAddressToString
Combining the core features of PowerShell with extensions such as .NET components, downloaded scripts or installable add-ons makes it the ideal tool.
Why is a PowerShell vulnerability scanner useful?
With vulnerability scanning, you use a structured approach to identify, analyze, and report security issues within the network. A scan can mimic how malicious actors try to access your environment, whether it’s a server or another device. The results can often reveal the path a malicious actor might take and the data they might steal, which can aid IT and security teams in ongoing hardening efforts.
PowerShell’s flexibility through its scripting language is one of its strengths. It is much easier to change a script than to wait for an antivirus application update or a new vulnerability definition to be released. As a native tool, PowerShell can access the lowest layers of the Windows operating system and access much of the data required for a full scan.
How to use PowerShell to find a list of vulnerabilities
Using PowerShell to get current common vulnerabilities and exposures (CVEs) and to scan servers and clients is a straightforward and robust approach.
To identify vulnerabilities, you need to get a list of the latest CVEs. The Microsoft Security Response Center provides a website called the Security Update Guide, which is used to find details about these security update or mitigation CVEs. Microsoft also provides a PowerShell module to retrieve this information.
To use PowerShell to get the CVEs, install the MSRCSecurityUpdates module.
Install-Module -Name MSRCSecurityUpdates -Force Import-Module MSRCSecurityUpdates
After the module has loaded, you can request CVEs for a specific month.
$file = "C:\Training\March2022.html" $month="2022-Mar" $download = Get-MsrcCvrfDocument -ID $month -Verbose | Get-MsrcSecurityBulletinHtml -Verbose $download | Out-File $file
The downloaded file contains the CVE ID, description, severity rating, impact of the vulnerability and the affected software. You extract mitigations and workarounds by using filters within the query with 0 for workarounds or 1 for mitigations.
$month="2022-Mar" $document = Get-MsrcCvrfDocument -ID $month $document.Vulnerability.Remediations | Where Type -EQ 0 $document.Vulnerability.Remediations | Where Type -EQ 1
PowerShell can iterate over the values as part of the scanning task. You need to customize the commands if you want to get a list of affected systems.
$month="2022-Mar" $document = Get-MsrcCvrfDocument -ID $month Get-MsrcCvrfAffectedSoftware ` -Vulnerability $document.Vulnerability ` -ProductTree $document.ProductTree
To identify the security updates in which a specific CVE occurs, the query needs to be modified to go one step further.
$cve = "CVE-2022-24526" Get-MsrcSecurityUpdate -Vulnerability $cve
After downloading the list of current CVEs, affected systems, and associated updates, we can use the output to iterate over the Windows Server systems.
How to use PowerShell to scan files for vulnerabilities
In recent years, more attacks have used vulnerabilities in specific applications or files, such as B. the Apache Log4j vulnerability, commonly known as Log4Shell. Many applications use the Log4j logging framework to track activity in software applications or online services. When reports of a zero-day vulnerability in Log4j were published, quick action was required to find vulnerable systems and protect against intrusion attempts and ransomware attacks.
The following steps explain how to create a Log4j PowerShell scanner, which many administrators did before security tools were updated and patches were available. Since it was not a Windows-based threat, finding and neutralizing the vulnerable Java library required a more inventive solution. If a similar situation arises in the future, administrators can create their own vulnerability scanner in PowerShell.
To fix and mitigate Log4Shell, scan for specific file types and then assign one of the following CVEs:
Depending on the identified version of the target file, we can then assign the CVE. The vulnerability is to identify specific file formats, versions and the vulnerable JndiLookup class.
The first step is to connect to the machine’s operating system and iterate through the drives and files, looking for file types such as .jar and .war files, which are Java archives and zipped file types.
$extensions = @('*.JAR', '*.WAR')
$disks = (Get-WmiObject `
-Class Win32_LogicalDisk `
-Filter "DriveType="3"").DeviceID
foreach ($disk in $disks) {
$disk = "$disk\"
$files = Get-ChildItem $disk `
-Recurse -ErrorVariable DriveError `
-Include $extensions `
-ErrorAction SilentlyContinue
}
After a match is found, each file must be examined further to find the log4j class. Add a second loop in the foreach loop for the retrieved files and pass each identified file to a scan function.
foreach ($disk in $disks) {
$disk = "$disk\"
$files = Get-ChildItem $disk `
-Recurse -ErrorVariable DriveError `
-Include $extensions `
-ErrorAction SilentlyContinue
foreach ($file in $files) {
$scanned += [pscustomobject](Check-File $file)
}
}
Check each file for JndiLookup.class, pom.properties and log4j names nested in the retrieved file type archives or the root folders. There are many PowerShell examples online of techniques to search the identified files for specific names and properties, e.g. B. the Log4jSherlock scanner.
The scan function should look for the class and match it against the CVE. If files meet the criteria, you should use another PowerShell function to remove them, or at least flag them for manual remediation.
As you can see, PowerShell is an excellent tool for scanning Windows server and client systems for specific files, folders and even vulnerabilities.