SMBGhost Vulnerability Audit

Find Windows Devices Vulnerable to SMBGhost

Microsoft released a new update for Windows to fix a critical vulnerability (CVE-2020-0796). SMBGhost as it is called could allow an attacker to execute arbitrary code on the target SMB Server or SMB Client. 

Fortunately, with the audit below, you can get an overview of your environment and whether the Windows machines have been updated with the newly released patch. Additionally, by adding the registry key below to your scanning, you can also identify which machines have SMBv2/v3 enabled or not. Do note that this key might not exist yet if SMBv2/v3 has never been enabled. You can find more info on our blog.

To check if SMBv2/v3 is enabled on your assets, you will have to add the following registry key and value name to your custom registry scanning configuration.
Rootkey: HKEY_LOCAL_MACHINE
Regpath: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Regvalue: SMB2

SMBv3 vulnerability audit

SMBGhost Vulnerability Query

Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblassets.Version,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  Case tblAssets.AssetID
    When SubQuery2.AssetID Then 'Up to date'
    Else 'Out of date'
  End As [Patch status],
  SubQuery1.Regkey,
    Case
    When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <>
    '' Then 'Yes' Else 'No' End As RegistryKeyFound,
Case when SubQuery1.Value = 1 then 'Yes' else 'No' end as [SMBv2/v3 enabled],
    Case
    When TsysLastscan.Lasttime < GetDate() -
    1 Then
    'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.' 
End As Comment,
  tblAssets.Firstseen,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  TsysLastscan.Lasttime As LastRegistryScan,
  SubQuery1.Lastchanged,
  	Case
    When tblAssets.AssetID = SubQuery2.AssetID Then '#d4f4be'
	When SubQuery1.Value = 1 then '#ffd34f'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblRegistry.AssetID,
    tblRegistry.Regkey,
    tblRegistry.Valuename,
    tblRegistry.Value,
    tblRegistry.Lastchanged
  From tblRegistry
  Where tblRegistry.Regkey Like '%SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' And
    tblRegistry.Valuename = 'SMB2') SubQuery1 On SubQuery1.AssetID =
    tblAssets.AssetID
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4551762')) As
  SubQuery2 On tblAssets.AssetID = SubQuery2.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry' And tblassets.version IN ('1903','1909')
Order By tblAssets.Domain,
  tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

Download-Install-Lansweeper

1. Download & Install Lansweeper

Save-and-Run-the-Report

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting