Vulnerability hunting in Intune
Вставка
- Опубліковано 4 жов 2024
- To hunt vulnerabilities in apps, you want to update the apps.
First, you must know what apps/software you got (inventory), and we start by that, exporting all software to a CSV file we open in Excel.
From there we pick a few applications (Mozilla Firefox, Git, GIMP) that the Excel spreadsheet shows are outdated software and need to update to reduce vulnerabilities.
We create Proactive Remediation scripts (Detection and Remediation) and update our clients and verify it is successful.
We created a template (that you find further down in this description) so you can update the software you need, as long as it got a Winget ID you can use this script.
As a Bonus, we also looked into the log files of Proactive Remediation scripts and their location when deployed to devices.
This video goes through a lot of useful real-world cases, so be sure to watch it all.
Links:
M365 Inventory: config.office....
Scripts:
Git Proactive Remediation DETECTION Script
Software Detection Script to see if Git needs an update
Author: John Bryntze
Date: 2nd March 2023
Variables
$JBNAppID = "Git.Git"
$JBNAppFriendlyName = "Git"
Help System to find winget.exe
Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")
Check locally installed software version
$JBNLocalInstalledSoftware = .\winget.exe list -e --id $JBNAppID --accept-source-agreements
#If not installed exit here...
if($JBNLocalInstalledSoftware[-1] -eq 'No installed package found matching input criteria.')
{
exit 0
#The app is NOT installed...
}
$JBNAvailable = (-split $JBNLocalInstalledSoftware[-3])[-2]
Check if needs update
if ($JBNAvailable -eq 'Available')
{
write-host $JBNAppFriendlyName "is installed but not the latest version, needs an update"
exit 1
}
if ($JBNAvailable -eq 'Version')
{
write-host $JBNAppFriendlyName "is installed and is the latest version"
exit 0
}
if (!$JBNAvailable)
{
write-host $JBNAppFriendlyName "is not installed"
exit 0
}
Git Proactive Remediation REMEDIATION Script
Software Remediation Script to update the software
Author: John Bryntze
Date: 2nd March 2023
Variables
$JBNAppID = "Git.Git"
Help System to find winget.exe
Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")
Run an upgrade of the software
.\winget.exe upgrade -e --id $JBNAppID --silent --accept-package-agreements --accept-source-agreements
For GIMP and Mozilla Firefox use the script above but change the AppID variable to:
Mozilla Firefox: "Mozilla.Firefox"
GIMP: "GIMP.GIMP"
Log file for these scripts can be found here:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log
Proactive Remediation Scripts are executed locally on the devices from this location:
C:\Windows\IMECache\HealthScripts
and under here it is a unique id per script and you find them under each folder.
If you master this, you will give a lot of value to your organization or customers
Amazing video with such great explanation ❤really helpful. Thankyou so much
Hey thank you so much for taking time to comment, I LOVE comments like this, thanks!
Ran across you channel last night while trying to install an app with some configuration files in Intune. I have watched a lot of Intune videos over the years and really appreciate your delivery and explanations. Great resource!
Thanks a lot Kelly, love hearing feedback like this, gives me more energy to do more videos which is coming :) thanks!
At last! a channel straight to the point!
Thanks a lot! more videos are coming, at least one per month, recently I have released at least two Intune videos, see if I can keep up with that, but at least one per month :D
Hi John another well detailed video with tons of useful information to use at work . Also I really like how you have given credit to your viewer on setting the winget path so the script looks easier to understand. Patiently waiting for another upload 😅
thanks a lot, yeah it is great with comment feedback and tips and sometimes I learn from them also :) I forgot to mention a great language fix a comment provided, it will be in another video :)
Great quality video and I very much appreciate your desire to make every key point easy to understand.
Thanks a lot, will try to continue down that path
@@IntuneVitaDoctrina I had a question though - I've searched through auto-generated transcript but didn't find mention of the license.
When I've tried to follow this guide I found that this remediation piece is not present in Reports but has seemingly been moved to "Devices" -> "Remediations" and "Create Script Package" is grayed out with a note "Use of remediations requires Windows license verification to be enabled.".
I'm probing out Intune and only had "Enterprise Mobility + Security E3" but seems like according to docs to be able to use remediation I need at least M365 E3 or better E5 - would you confirm that?
Thanks for this information, I know that Remediation have moved to under Devices which I think is nice, I should update the video with that, but maybe I just put in description instead.
I didn't know about the license, and yes a E5 works for sure, but E3 should also work, I searched and found this information interesting, check this and you should be able to get it not greyed out
www.reddit.com/r/Intune/comments/12338dt/help_proactive_remediation_now_requires_licensing/
Har precis hittat dina videos, mycket uppskattade!!
Kul att höra, tack så mycket
Excellent as always good job , thanks for share ! :)
Hey thank you so much Texy for all comments, love to read and see them, thanks!
Hi John,
It was really nice vedio and very well explained about powershell script line by line.
Keep up the good work ❤
Thanks a lot for this nice comment, it motivates me to continue, thanks!
Good stuff !!! Love your videos.
that makes me so happy, thanks a lot Lynette!
Very interesting. Thank you.
Thanks a lot Gert, this is things I do at my work, look for what software are old version (and therefore vulnerable) and then create Remediation Scripts and update. Let's say that approach is popular by the security teams in companies and you can be a hero by implementing this :) just be sure to take before and after stats so you can show your manager or whoever that "Before we had these versions... and look 1 week later we have the latest version of the software" it is pretty sweet :)
@@IntuneVitaDoctrina Much appreciated! By the way, congrats reaching more then 1000 subs! Well earned!
Amazing info, the only thing I would probably do, just add a parameter -AppID and not worry about modifying those scripts. 😉
Thanks Oleg, you can add switch --all switch to update all, you get less visibility in reporting but for home systems I think that is a great thing to run also. Thanks good idea!
@@IntuneVitaDoctrina ohh... never mind I see now that Proactive Remediation doesn't allow you to run scripts with parameters, so we need a separate script for each app. This is not good. Hope they will add it in the future :(
In Swedish it's only "Program" or "Program (x86)" 😉
Indeed, pretty nice to not have to take of any spaces when it comes to 64-bit programs :)
I hope Windows does like macOS and forbid 32-bit software, and maybe rename "program files" to just "apps" or alike.
Even the C: is a bit legacy, before we had floppy disk on A: and B: etc....
Hi John,
Great video as always! Really enjoy all your video contents.
I have a question regards to this method using PR + Winget to auto update software. I tried your script which works fine on Notepad++. However, I noticed if Notepad ++ was running, it will still update but the version doesn’t get updated correctly. My question is, do you have a solution in Remediation script to say ‘check if Notepad++ is running and if so, prompt for a popup box for user to close, before triggering the Winget to update to the latest? Or even wait until Notepad++ is closed before updating but don’t allow user to open Notepad++ yet in case it’s updating’. ? Thanks!
Thanks, and interesting, I didn't know that happened on Notepad++ but it makes sense.
A product like PSAppDeployToolkit would fix it, but that requires more files, so a Remediation Script couldn't use it, would need to be a Win32 app, and we don't want that.
I could easily write a checker to check if Notepad++ is started like you mentioned, and if it is, exit with 0, and let it rerun every 6 hours or alike and hopefully catch it when it is not started.
# Script to check if Notepad++ processes are running
# Get the list of Notepad++ processes
$notepadPlusPlusProcesses = Get-Process -Name "notepad++" -ErrorAction SilentlyContinue
# Check if any Notepad++ processes are found
if ($notepadPlusPlusProcesses) {
Write-Output "Notepad++ is running."
} else {
Write-Output "Notepad++ is not running."
}
For me it is never a problem if Notepad++ shut down while using it as it autosave, so could in the script kill all the processs, not so user friendly, but could have the script run 4am morning or alike when no one should be using it.
@@IntuneVitaDoctrina
Thanks John for the quick reply and suggestion. Will try that detection suggestion you mentioned.
You’re right, one method was to use PS Deployments Toolkit for the user interaction. Do you know if it’s possible to call Win32 apps from remediation script?
I also tried your Winget package method to install Notepad++ (as an example), which will always install the latest version if deploy to a machine, which is brilliant!
My only issue is how I can update it monthly and with less work. The Winget package install whatever the latest version at today’s date. Is there a way to make it auto run again in a month, which the script always check current latest version?
Unfortunately, the 4am kill Notepad++ wont work as most machine will be off here. 😊
Thanks again John.
You could call a Win32 app with MS Graph, but wow that be a lot of code and API secrets etc.
You are right about the script will run once and take the latest and then never again, which makes Remediation Script perfect for this. You can go around this by doing a normal script but instead of calling winget, the script creates a Schedule Task that runs when you need and that one is calling Winget and update Notepad++
@@IntuneVitaDoctrina
Would you be able to do a video to show us how to achieve this?
It will be good to learn more about MS Graph as your video contents is easily to understand. 😊
So with the remediation script, the script creates a schedule task. Within the schedule task then call the Winget script to install Notepad++? Do I add the command or do I call existing script?
Never tried this method but worth a test and try (plus learning). I remember you had a video on schedule task so hopefully I can pick up the basic from there.
If I can use PSDeployment toolkit that would be good. Haha
Thanks again John
Thanks, good ideas for a lot of videos, I wanted to do a longer serie about MS Graph, so powerful, so that will come but not sure when. To do a a script PowerShell that (without remediation) create a schedule task that runs winget to update certain software could be a really good video idea, as I know not everyone got license for Remediation Script.
I have a few videos showing PS App Deployment took kit, but would like to do a serie about that also.
Scripts could download PS App Toolkit and do stuff, hmmm a bit messy, or deploy PS Deployment AppToolkit to all devices with Win32 app in advance and then have the script use it... hmmm not sure if that is a good idea.
For you now quickly, keep normal PS script (not remediation) and create a schedule task that run winget.exe to update notepad at certain intervals, and cancel if the process is started, can run it daily, if winget finds no update it does nothing anyway
All this is very interesting, but what we can do in our case when first we don’t allow unapproved files to execute (exe, msi…), basically we need to drop it first into an approved location for Carbon Black to approve that hash and second we block the download to most of those sources 🥴
Hi Oleg,
Thanks a lot for your post, good questions!
I ran Carbon Black (CB Defense Sensor I think it is called) for many years, at the time it was horrible on macOS so had to change, on Windows it ran well.
CB Defense Sensor you can configure to set that if anything is running as SYSTEM it lower the risk factor, which I think is a pretty good idea. If a hacker have reached SYSTEM your biggest problem isn't that that the hacker tries to run winget.exe and update or install software from winget.exe repository, so to allow CB Defense to run winget.exe seems like no risk to allow it to run it.
You can also exclude execution out of C:\Windows\IMECache\HealthScripts sub directories then you bypass the hashes for all, have to be a bit creative, should be many ways to configure CB Defense to allow this to run, if not open a ticket with them, winget.exe is the future (else change security suite to CrowdStrike, works perfect there)
You mention it block downloads, is that through a proxy server or another software (or is it also CB Defense)? yeah that is tougher to go around, you will have to test the winget upgrade/install URL take it and send it to your network team and ask them to allow URLs such as:
download.visualstudio.microsoft.com/download/
github.com/notepad-plus-plus/notepad-plus-plus/releases/download
doesn't look to scary to me, I think any security/network team would allow those URLs without too much problems and you just need to do it once and you are good.
Hello sir, any way we can control the remediation time? Example I wan to run it at 10:00 PM.
You want it to run 22:00 every day? then a Schedule Task would be great, I got a video about creating one there and instead of running SFC /Scannow run the winget.exe command instead
Great Work ! Do you know if the setup is working also for the Zoom app ?
I am trying to update it through the remediation process but until now i have 0 remediations ( all of them are with "without issues" and are old versions)
Hi Alberto,
Thanks a lot for your comment
I don't know why Zoom don't like winget, they support it but they are often one or two versions behind on winget.
If you got 2-3 or more versions old then YES it should help to remediate.
I use winget.exe for so many softwares, git, GIMP, 7-Zip, VLC, Microsoft Visual Studio, SQL Management, Google Chrome, Firefox and a lot lot more, but Zoom and certain Adobe products I don't, Adobe got Remote Update.... Zoom I package it in Win32.
I have asked Zoom to update Winget repository more regular, not got any response yet
Does this mean you allow users to install/updates apps via winget?? As I'm using CIS/NCSC policies and this lockdown.
I have the default settings so winget.exe is allowed to run = yes.
My users aren't local admin by default so if they would (they would never do it) run winget.exe it would fail due to no permission to install.
Since Intune run the Proactive Remediation script for the user, it runs under SYSTEM account and got permission.
I keep full control what gets updated, and I get reports on those that fails.
Not sure if that answered your question, but yes users could technically run it manually outside Intune but it wouldn't work.
@@IntuneVitaDoctrina Unless the app installs to %appdata% in which case no admin is needed to install for them. Anaconda and Chrome for example both install to %appdata% and get around the need for admin approval; unless you have locked that down in your estate.
Thanks for the video! I do have one question after testing: when the app gets updated with winget, it doesn't match the detection rule of my app anymore (especially MSI apps since the product code changes, Win32 app I can get around with settings the version number as "equal or superior to") so in the end, Intune will force the reinstall of the original version deployed. Any way to work around this? Thank you!
Thanks Nico, and you have an excellent question.
I have changed all my Win32 apps detection methods from previous MSI to always look for file version and set it to the one I package or great (exactly as you described)
I do your work around as Standard now, stopped using MSI code and other.
I do detection PowerShell scripts also that looks winget version and compare but only for win32 apps that install with winget.exe
So nothing new in this post that you didn't already know, but I think you are on a great path, continue and stop use MSI codes for detection rule,
@@IntuneVitaDoctrina Thanks for the quick response and the quality videos!