WannaCry

This article explains how to create a custom scan template that you can use to scan your network exclusively for vulnerabilities associated with the WannaCry ransomware.

Create a custom scan template to check for MS17-010

The easiest way to create a Custom template is by making a copy of an existing template.

Administration -> Templates -> Click: Manage Templates -> Copy: Full audit enhanced logging without Web Spider

IMPORTANT

Name your copy of the Scan Template

Click: Vulnerability Checks -> Click: By Individual Check -> Add Check -> Enter: MS17-010 (As of 5/15/17 there are 192 individual checks).

Be sure to remove all checks from the "By Category" and "By Check Type" sections to ensure that only the individual checks are loaded for the scan(s).

If you want to create a Dynamic Asset Group (DAG) for assets vulnerable to this attack:

Create a new DAG with the following filters:

  • 'CVE ID' 'is' CVE-2017-0143
  • 'CVE ID' 'is' CVE-2017-0144
  • 'CVE ID' 'is' CVE-2017-0145
  • 'CVE ID' 'is' CVE-2017-0146
  • 'CVE ID' 'is' CVE-2017-0147
  • 'CVE ID' 'is' CVE-2017-0148

Change "Match (all) of the specified filters." to "Match (any) of the specified filters."

Hit SEARCH.

You can also create a SQL report to list ANY asset affected by ANY of the 6 CVEs:

sql
1
SELECT da.ip_address AS "IP Address", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity"
2
FROM dim_vulnerability dv
3
JOIN dim_asset_vulnerability_solution das USING(vulnerability_id)
4
JOIN dim_asset da USING(asset_id)
5
WHERE title ILIKE '%2017-0143%' OR title ILIKE '%2017-0144%' OR title ILIKE '%2017-0145%' OR title ILIKE '%2017-0146%' OR title ILIKE '%2017-0147%' OR title ILIKE '%2017-0148%'

Please keep in mind that it will list every instance of any of the CVEs in question.

There are currently 32 checks for each CVE, there are 6 CVEs; a total of 192 checks. However, an asset should not list more than one check for each CVE which should result at most 6 instances per asset. You can create a SQL query to check for only the count or unique instances that way the report contains less rows.