Using XDR for Discovering Unsupported Software

Many cyber security insurance companies have been rejecting claims for costs and damages associated with breaches. Cyber policies can carry either an "unsupported software" exclusion or a condition in some form or fashion. This makes it an increasingly important topic around cyber insurance. This read is NOT insurance advice on your policy and you should always discuss your policy with the under writer.

Unsupported Software Lifecycle

  • End mainstream support
    • No guarantee bugs are fixed unless they pose a security risk
    • Limited to no help or support
  • End extended support
    • No bugs or security risks are fixed
  • End support on specific platforms 
    • Software will no longer run on a specific OS
      • EX: Intercept-X on Windows XP

So let's review options available in XDR to augment discoveries of vulnerable software.

Goals

  • Check your systems for software compliance
  • Discover potentially vulnerable software
  • Improve your software lifecycle 

Prerequisites 

  • Windows 10 
  • Sophos Intercept-X with XDR
  • Powershell Knowledge
    • I recommend this free web book if not

Check Software Version Using PowerShell

For this exercise, we will need to identify the the up to date or supported version of the software we're looking for. To do this we're going to run a simple power shell command that will provide us with the 'Display Name' and 'Display Version.' We'll need that Display name and version later when we use XDR's Live Discover feature to compare the Display name and version on the rest of our devices.

On a system that has the FULLY supported or patched software version applied, perform the following:

  1. Click on the start menu
  2. Type "powershell" and you will see the following options:

  • If you select "Run as Administrator," then you will see the PowerShell terminal:

  • If you select "Run ISE as Administrator," then you will see the PowerShell ISE console:

ISE is the Powershell Integrated Scripting Environment and recommended for beginners to see the code syntax and modify the input. 

In either scenario, you will need to run PowerShell as Administrator.

Powershell Code

Consider the following Powershell command to gain visibility into the version details:

Replace "username" with your own
To search for your specific software, replace "TeamViewer" between the * *

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where{$_.displayName -LIKE "*softwareName*"} | Select-Object displayName, displayVersion, Publisher, InstallDate | Format-Table -AutoSize > C:\Users\Username\Desktop\ProgramVersion.txt

To contextualize what results you should see, consider below:

So now we have a program name and version to compare against in our Live Discover search.

Using Live Discover to Compare 

If this is your first time using Live Discover, consider the following recommended read for Getting Started.

Following the query from our Live Discover & Response Forum, we can see that  assembled a short and sweet query for us to leverage as shared here

Create a Custom Query

Let's start by...

  1. Log into Sophos Central as an admin or equivalent role permissions for Live Discover
  2. Go to the Threat Analysis Center
  3. Click Live Discover

  1. Enable Designer Mode
  2. Select Create new query

  1. Name your query
  2. Define its category
  3. Give it a description to remember its purpose
  4. Leave it as a "Live Endpoint" and select "Windows" from the drop down
  5. Click the chevron to show the variable editor
  6. Add a variable named "Name"
  7. Add a variable named "Version"
  8. Paste the code from the LD&R forum page here

NOTE: Variables are case sensitive

Use Your PowerShell Results

Extracting the details from the Powershell statement, we can find that the DisplayName is 'TeamViewer' and the DisplayVersion is '15.20.6'. So to take the information and make it useful for our query.

Powershell Live Discover
DisplayName Name
DisplayVersion Version

We can see when we enter in the required variables to run the query, we're left with results of machines with TeamViewer installed and a human readable statement on the status of the version.


Where your RED box is your full SQL statement and the BLUE box and lines indicate the variables you are searching for.

Now that your code and variables are set, you can choose to select all of your machines or select individual machines that you want to compare against. I am going to do this on just the two machines selected. Click "Update Selected Devices list" once satisfied and then select "Run Query" in the bottom right corner.

Interpret Your Results

As you can see, in this small discovery across (2) machines, it only returned one result and to indicate a satisfactory version requirement. If your program is not installed, the endpoint will not return a result.

Stay tuned for more XDR content and guides coming soon!

Stay safe & stay secure,

-jk



fixed missing "}" in code
[edited by: Jeramy_Kopacko at 9:52 PM (GMT -7) on 23 Aug 2021]