Capture result code by PS or at end?
Craig Mohr
We have a vendor supplied program (exe) that we deployed to scan for a vulnerability in their firmware and interestingly we have found it returns a result code of 0 if none, 500 if vuln, and 502 if patched. I am looking for a way to use these codes for an easier way to know what needs to be patched. I don't want to chain a job off them or anything in fact I'd be happy writing that result code into the registry since we use a custom subkey for storing other data we use with deployments. Anyone have any idea on how to do this?
0
Comments
I wrote a blog about doing that with the Intel SA-00086 Detection Tool a few years ago: https://www.pdq.com/blog/intel-sa-00086/
However, that tool tattooed the registry itself, and that was before the PowerShell Scanner. You can capture exit codes in PowerShell like this:
I figured that out when I helped write the PowerShell example for GRC's InSpectre. I can't post the link because this forum doesn't like it for some reason.
HA. Ok well this is for Intel's SA-00075 so.. yeah Intel :) Same deal they tattoo the registry but its very convoluted how to tell if its vulnerable or not. Wonder why it's not liking the link. Guess there is no way to PM either?
The fun part after detection is there's like 20 different versions of patches depending on the model. Some are sharable some are not.
Let's try this:
Cool that worked. Trying out your 86 stuff as well since I think that's on my list. Wish we would just dump these ancient machines.
Woo, that worked! :D
I built a table in my blog for SA-00086. I think I got it from the PDF they included with the tool, but that was 4 years ago, so my memory's a little fuzzy. I sent PDQ an email letting them know the table is currently mangled, so hopefully it will be readable within a few days.
Ah I noticed that looked a bit off. Thanks for your help.. I have been wondering if you worked for PDQ or not since your right on most of the answers here and in the live webinars. I guess that answers my question.
Actually, I don't work for PDQ anymore.
So the scanner from that blog post fails. You have a -d 0 switch in the scanner switches line which does not seem to be a valid switch from the output. Removing it produces results but I'm not sure if that breaks anything else. I am a bit concerned about them since it says hey we are not supporting this ME version in the scanner though.. I am wondering if maybe you had an older version of the scanner that was supporting the old ME versions and that switch.
The more I poke around the more I feel fairly confident this is a new version of the tool. After running it and checking the registry. I found that the subkey results are stored in has changed from
SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status\System Risk
To
SOFTWARE\Intel\CSME Version Detection Tool\System Status
Which kind of sucks since the page linking to it on Intel's site still says its for Intel® Management Engine (Intel® ME 6.x/7.x/8.x/9.x/10.x/11.x)
Oh yeah, I forgot that they changed the tool a while ago. It looks like it runs fine without any switches now.
The new registry path is:
I believe it still writes stuff like the ME version to the registry even if your ME is not supported, but I don't currently have an old system to test with. However, since they're unsupported, they won't be patched for any vulnerabilities discovered after their EOL date.
Yeah the bane of companies trying to eek every little penny out of systems and run them into the ground. :D Still this was a ton of help and was very helpful to see how you did some things which is going to make me adjust how I do a few things. Still only had about 3-4 months with PDQ so far.