WannaCry MS17-010 Audit

Find All Computers Vulnerable to 'WannaCry' ('WannaCrypt', 'WCRY')

This cyber-attack has affected over 230 000 computers in more than 150 countries. Microsoft has released a number of updates to mitigate the MS17-010 vulnerability which the ransomware program targets with doing an SMB exploit. Lansweeper can be used to find machines that do not have the hotfixes installed to mitigate the SMB vulnerability. Find more info about this exploit in our Wannacry blog post.

WannaCry MS17-010 Query

Select Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As
tblState.Statename As State,
tsysOS.OSname As OS,
Case When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then 'Scanning Error: ' +
tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors,
Case When tblAssets.Lastseen Is Null Then 'Unknown' Else 'Vulnerable'
End As IsVulnerable,
Case When tsysOS.OSname = 'Win XP' Or tsysOS.OSname = 'Win 2003' Or
tsysOS.OSname = 'Win 2003 R2' Or tsysOS.OSname = 'Win 8' Then 'KB4012598'
When tsysOS.OSname = 'Win Vista' Or
tsysOS.OSname = 'Win 2008' Then 'KB4012598 / KB4018466'
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname =
'Win 2008 R2' Then
'KB4012212 / KB4012215 / KB4015549 / KB4019264 / KB4019265 / KB4022719 / 
KB4022168 / KB4025341 / KB4025340 / KB4034664 / KB4034670'
When tsysOS.OSname =
'Win 2012' Then
'KB4012214 / KB4012217 / KB4015551 / KB4019216 / KB4019218 / KB4022724 / 
KB4022721 / KB4025331 / KB4025332 / KB4034665 / KB4034659'
When tsysOS.OSname = 'Win 8.1' Or
tsysOS.OSname =
'Win 2012 R2' Then
'KB4012213 / KB4012216 / KB4015550 / KB4019215 / KB4019217 / KB4022726 / 
KB4022720 / KB4025336 / KB4025335 / KB4034681 / KB4034663'
When tblOperatingsystem.Version Like '%10240%' Then
'KB4012606 / KB4015221 / KB4019474'
When tblOperatingsystem.Version Like '%10586%' Then
'KB4013198 / KB4015219 / KB4019473 / KB4022714 / KB4032693 / KB4025344 / KB4034660'
When tblOperatingsystem.Version Like '%14393%' Or
tsysOS.OSname =
'Win 2016' Then 'KB4015438 / KB4015217 / KB4019472 / KB4023680 / KB4022715 / 
KB4022723 / KB4025339 / KB4025334 / KB4034658'
When tsysOS.OScode Like '10.0%' And tsysOS.OScode Not In (Select Top 1000000
tsysOS.OScode From tsysOS
tsysOS.OScode Like '10.0%') Then
'KB4012606 / KB4015221 / KB4019474 / KB4015438 / KB4015217 / KB4019472 / 
KB4023680 / KB4022715 / KB4022723 / KB4025339 / KB4025334 / KB4034658' Else Null 
End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) >
3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.' Else '' 
End As Comment
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned
On tblAssets.AssetID = QuickFixLastScanned.ID
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblAssets.AssetID Not In (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni
On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4012216', 'KB4012215',
'KB4012217', 'KB4012212', 'KB4012213', 'KB4012598', 'KB4012214',
'KB4012606', 'KB4013198', 'KB4015551', 'KB4019216', 'KB4015550',
'KB4019215', 'KB4013429', 'KB4019472', 'KB4015217', 'KB4015438',
'KB4016635', 'KB4019264', 'KB4015549', 'KB4015221', 'KB4019474',
'KB4015219', 'KB4019473', 'KB4018466', 'KB4019217', 'KB4019265',
'KB4019218', 'KB4022719', 'KB4022724', 'KB4022726', 'KB4023680',
'KB4022715', 'KB4022714', 'KB4022720', 'KB4032693', 'KB4022723',
'KB4022168', 'KB4022721', 'KB4025336', 'KB4025344', 'KB4025339',
'KB4025341', 'KB4025331', 'KB4025335', 'KB4025334', 'KB4025340',
'KB4025332', 'KB4034681', 'KB4034660', 'KB4034658', 'KB4034664',
'KB4034665', 'KB4034663', 'KB4034670', 'KB4034659')) And tsysOS.OSname != 'Win 2000 S' And
tsysAssetTypes.AssetTypename Like 'Windows%' And
tsysOS.OScode Not Like '10.0.15%' And tsysOS.OScode Not Like '10.0.16%'
Order By tblAssets.Domain,

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit