Report on MS17-010 with Qualys Vulnerability Management

Document created by Leif Kremkow Employee on May 12, 2017Last modified by Leif Kremkow Employee on May 17, 2017
Version 3Show Document
  • View in full screen mode

Produce reports against "Microsoft SMB Server Remote Code Execution Vulnerability and Shadow Brokers" (MS17-010) (Qualys ID 91345) (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148, CVE-2017-0147) (BugTraq 96703 , 96704 , 96705 , 96707 , 96709 , 96706 ) with Qualys Vulnerability Management, Asset View, and Threat Protect.

 

See The Shadow Brokers Release Zero Day Exploit Tools for background information on the purpose of these reports.

 

Alternatively, consider using Qualys AssetView Dashboards For WannaCry and Shadow Brokers Configuration How-To.

 

Using Asset Search in Vulnerability Management (6 clicks):

  • go to "Assets" > "Asset Search"
  • select "All" as the Asset Groups to check against
  • in the "QID" selection criteria enter "91345"

  • click "Search"

Careful: this will want to open a new browser window; if you see nothing happening, check if you are blocking pop-ups.

This would produce a report such as this:

 

Using a custom search in Asset View (3 clicks)

  • go to "Assets" > "Assets"
  • in the "Search …" field enter "vulnerabilities.vulnerability.qid:91345" (note: you can also just type "qid" and select the auto-completed text and then add the QID 91345)

Take this opportunity to create a widget in your Asset View dashboard to track progress over time and see if things are getting worse or better:

  • click on "create widget"
  • give the widget a title, such as "Machines at Risk"
  • enable "Collect trend data"
  • click "Add to dashboard"

 

Custom Vulnerability Management Report (many clicks)

go to "Reports" > "Search Lists"

click "New" and create a new "Static List…"

give it a title, e.g. "MS17-010 only"

go to the "QIDs" section, click "Manual" and enter "91345"

  • click "OK", then "Save"
  • now go over to "Reports" > "Templates"
  • click "New", select "Scan Template…"
  • give the report a Title, such as "MS17-010 only"
  • go to the "Findings" section and select the "All" Asset Group

  • go to the "Display" section and select "Sort by Vulnerability"
  • disable "Text Summary" and enable "Vulnerability Details"

  • go to the "Filter" section, select "Custom" for "Selective Vulnerability Reporting"
  • using "Add Lists" select the Search List previously created, named "MS17-010 only" in our example

  • click "Save" on for the Report Template
  • in the list of available templates, select the new created "MS17-010 only" template
  • use the drop down menu to "Run" a report from the template

  • give the new report a title, such as "MS17-010 only"
  • select "HTML only" as the "Report Format" for easy online viewing of the report
  • then "Run" the report

Once the data is processed, you should get a report similar to this:

 

(Edited to add information about AssetView)

4 people found this helpful

Attachments

    Outcomes