Approved

over 4 years ago

For a more robust vulnerability scanner we want to find a better search capability that would return a JSON structure so we can parse out useful information from the CVE

Vulnerability Scanner in a query

This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers (These tend to be patches/hotfixes from microsoft). Now that we have that list we craft a curl statement to check the CVE site on the internet with the appropriate search criteria. The curl request will return HTML and we need to check that HTML to see if it has any results in it. We use a key word match for an indicator that only shows on the HTML page if a result was found. If we have a match we then show the result information with the URL that the admin can use to get more information on the identified vulnerability.

WARNING this is not a 'real' vulnerability scanner in that it is only checking for applications, it uses a very crude method to identify the application and matching CVE's ect.

I thought it would be a nice toy for folks that do not have professional vulnerability scanners as it is better than nothing...

Only works on Windows and Windows Server. Likely has FP and FN challanges

Have FUN

WITH program_list AS ( 
   SELECT
      REPLACE(REPLACE(REPLACE(name,',',' '),'+',' '),'.',' ') name,  -- STRIP out some characters not normally found in product names to improve chances of finding it in the CSV DB
      version,
      REPLACE(REPLACE(REPLACE(publisher,',',' '),'+',' '),'.',' ') publisher
   FROM programs 
   WHERE version > ''
   )
/******************************************************************************************************\
| We will search for the Publisher, Product Name and version and use some wild cards '%'' after we     | 
| create a simple one word name for the publisher and product. The expectation is that these three     | 
| pices of information should be relativly unique, but we can still get FPs                            |
\******************************************************************************************************/
SELECT 
   publisher, 
   CAST(name AS TEXT) || ' ' || version Application, 
   url 'Identified CVE List' 
FROM program_list 
   JOIN curl ON 
      url = 'https://www.cvedetails.com/version-search.php?vendor=' 
         || replace(program_list.publisher, ltrim(program_list.publisher, replace(program_list.publisher, ' ', '')), '') 
         || '%&product=' 
         || replace(program_list.name, ltrim(program_list.name, replace(program_list.name, ' ', '')), '') 
         || '%&version=' 
         || program_list.version
WHERE result 
   LIKE '%Details for%';

Karl_Ackerman

Jerome Chant 1 month ago in reply to AzRoN

Hi All, we have been using this code and been working really well so thank you so much!

Although it's now not finding any CVE at all (when we know there should be)

Has anyone else had the same issue with this?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Sven Schüler1 over 1 year ago in reply to LHerzog

I have the same behaviour. Have you been able to solve it? Is there anything else that needs to be taken in the script?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
AzRoN over 3 years ago
I'd like to look into using a different service for the vuln scanner in a query. I've been looking at NIST and their National Vuln Database and their API doesn't require authentication and it returns JSON based results! A quick change up of the code above allows us to get a great set of information back that we can parse out into more fields within a Live Query.

In this case I am limiting the scope to lookup to an specific application with or without a verson. Keen to get this to search based off an iterated list from installed applications detected on the endpoint and then return more results as my JSON parsing is to the first entry.
```
-- Variables $$Unmanaged App$$ as STRING

WITH program_list AS ( 
   SELECT
      publisher,
      REPLACE(REPLACE(REPLACE(name,',',' '),'+',' '),'.',' ') name,
      version
   FROM programs 
   WHERE name LIKE '%$$Unmanaged App$$%'
      )

SELECT 
   publisher, 
   CAST(name AS TEXT) Application,
   json_extract(curl.result,'$.result.CVE_Items[0].cve.CVE_data_meta.ID') CVE_ID,
   url 'NIST Vuln Info'
   
FROM program_list 
   JOIN curl ON 
      url = 'https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=' 
         || replace(program_list.name, ltrim(program_list.name, replace(program_list.name, ' ', '')), '') 
         || '+' 
         || program_list.version
```
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
LHerzog over 3 years ago

How do I see if it actually worked? Completed without data. Does it mean no vulnerabilities found or does it mean, it did'nt run as expected?

Selected the 3 oldest machines here hoping to find some unpatched stuff.

0 Complete, data sent

3 Complete, no data sent

0 Complete, errors

0 Not responded yet
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
pfeffex over 3 years ago

Hi Karl, great script. Is very very helpful in my case. Cheers!
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Vulnerability Scanner in a query