Skip to content

Instantly share code, notes, and snippets.

@Colby-PDQ

Colby-PDQ/Intel SA-00086 Collections.xml

Created December 4, 2019 22:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Colby-PDQ/60b087ad2d07cbe12c1ea7ef0f1633c5 to your computer and use it in GitHub Desktop.
Save Colby-PDQ/60b087ad2d07cbe12c1ea7ef0f1633c5 to your computer and use it in GitHub Desktop.
Download ZIP
Collections, a Scan Profile, Reports, and a Package for this blog: https://www.pdq.com/blog/intel-sa-00086/
Raw
Intel SA-00086 Collections.xml
<?xml version="1.0" encoding="utf-8"?>
<AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="4.0">
<Collection>
<ReportDefinition name="Definition">
<RootFilter name="Filter">
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Computer</Table>
<Column>Name</Column>
<Comparison>Contains</Comparison>
</ValueFilter>
</Filters>
</RootFilter>
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
<Columns type="list">
<Column>
<Column>ComputerId</Column>
<Summary></Summary>
<Table>Computer</Table>
<Title></Title>
</Column>
</Columns>
</ReportDefinition>
<IsDrilldown value="false" />
<Created>2017-11-22T10:13:18.0000000-07:00</Created>
<Description>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&amp;languageid=en-fr</Description>
<Error></Error>
<Id value="1504" />
<ImportedPath>Intel SA-00086</ImportedPath>
<Modified>2017-11-22T15:10:23.0000000-07:00</Modified>
<Name>Intel SA-00086</Name>
<ParentId value="null" />
<Path>Intel SA-00086</Path>
<TypeName>DynamicCollection</TypeName>
<Type>DynamicCollection</Type>
<Children type="list">
<Collection>
<ReportDefinition name="Definition">
<RootFilter name="Filter">
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Registry</Table>
<Column>PathName</Column>
<Comparison>Contains</Comparison>
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Name</Column>
<Comparison>Equals</Comparison>
<Value>System Risk</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Value</Column>
<Comparison>Equals</Comparison>
<Value>This system is vulnerable.</Value>
</ValueFilter>
</Filters>
</RootFilter>
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
<Columns type="list">
<Column>
<Column>ComputerId</Column>
<Summary></Summary>
<Table>Computer</Table>
<Title></Title>
</Column>
</Columns>
</ReportDefinition>
<IsDrilldown value="false" />
<Created>2017-11-22T10:13:41.0000000-07:00</Created>
<Description>Computers that the detection tool has determined are vulnerable.</Description>
<Error></Error>
<Id value="1505" />
<ImportedPath>Intel SA-00086\Intel SA-00086 - Vulnerable</ImportedPath>
<Modified>2017-11-22T15:13:47.0000000-07:00</Modified>
<Name>Intel SA-00086 - Vulnerable</Name>
<ParentId value="1504" />
<Path>Intel SA-00086\Intel SA-00086 - Vulnerable</Path>
<TypeName>DynamicCollection</TypeName>
<Type>DynamicCollection</Type>
<Children type="list" />
</Collection>
<Collection>
<ReportDefinition name="Definition">
<RootFilter name="Filter">
<Comparison>All</Comparison>
<Filters type="list">
<GroupFilter>
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Computer</Table>
<Column>NeverScanned</Column>
<Comparison>!IsTrue</Comparison>
</ValueFilter>
</Filters>
</GroupFilter>
<GroupFilter>
<Comparison>Any</Comparison>
<Filters type="list">
<GroupFilter>
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Registry</Table>
<Column>PathName</Column>
<Comparison>Contains</Comparison>
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Name</Column>
<Comparison>Equals</Comparison>
<Value>System Risk</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Value</Column>
<Comparison>!Equals</Comparison>
<Value>This system is vulnerable.</Value>
</ValueFilter>
</Filters>
</GroupFilter>
<GroupFilter>
<Comparison>NotAll</Comparison>
<Filters type="list">
<ValueFilter>
<Table>CPU</Table>
<Column>Manufacturer</Column>
<Comparison>Equals</Comparison>
<Value>GenuineIntel</Value>
</ValueFilter>
</Filters>
</GroupFilter>
</Filters>
</GroupFilter>
</Filters>
</RootFilter>
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
<Columns type="list">
<Column>
<Column>ComputerId</Column>
<Summary></Summary>
<Table>Computer</Table>
<Title></Title>
</Column>
</Columns>
</ReportDefinition>
<IsDrilldown value="false" />
<Created>2017-11-22T10:14:56.0000000-07:00</Created>
<Description>Computers that have passed the detection tool's test or do not have an Intel CPU.</Description>
<Error></Error>
<Id value="1506" />
<ImportedPath>Intel SA-00086\Intel SA-00086 - Not Vulnerable</ImportedPath>
<Modified>2017-11-27T13:19:00.0000000-07:00</Modified>
<Name>Intel SA-00086 - Not Vulnerable</Name>
<ParentId value="1504" />
<Path>Intel SA-00086\Intel SA-00086 - Not Vulnerable</Path>
<TypeName>DynamicCollection</TypeName>
<Type>DynamicCollection</Type>
<Children type="list" />
</Collection>
<Collection>
<ReportDefinition name="Definition">
<RootFilter name="Filter">
<Comparison>Any</Comparison>
<Filters type="list">
<GroupFilter>
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Computer</Table>
<Column>NeverScanned</Column>
<Comparison>IsTrue</Comparison>
</ValueFilter>
</Filters>
</GroupFilter>
<GroupFilter>
<Comparison>All</Comparison>
<Filters type="list">
<GroupFilter>
<Comparison>NotAny</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Computer</Table>
<Column>Model</Column>
<Comparison>Equals</Comparison>
<Value>HVM domU</Value>
</ValueFilter>
<ValueFilter>
<Table>Computer</Table>
<Column>Model</Column>
<Comparison>Equals</Comparison>
<Value>Virtual Machine</Value>
</ValueFilter>
<ValueFilter>
<Table>Computer</Table>
<Column>Model</Column>
<Comparison>Equals</Comparison>
<Value>VirtualBox</Value>
</ValueFilter>
<ValueFilter>
<Table>Computer</Table>
<Column>Model</Column>
<Comparison>Equals</Comparison>
<Value>VMware Virtual Platform</Value>
</ValueFilter>
</Filters>
</GroupFilter>
<GroupFilter>
<Comparison>NotAll</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Registry</Table>
<Column>PathName</Column>
<Comparison>Contains</Comparison>
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value>
</ValueFilter>
</Filters>
</GroupFilter>
<GroupFilter>
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>CPU</Table>
<Column>Manufacturer</Column>
<Comparison>Equals</Comparison>
<Value>GenuineIntel</Value>
</ValueFilter>
</Filters>
</GroupFilter>
</Filters>
</GroupFilter>
</Filters>
</RootFilter>
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
<Columns type="list">
<Column>
<Column>ComputerId</Column>
<Summary></Summary>
<Table>Computer</Table>
<Title></Title>
</Column>
</Columns>
</ReportDefinition>
<IsDrilldown value="false" />
<Created>2017-11-22T10:23:54.0000000-07:00</Created>
<Description>Computers that are potentially vulnerable and have not been scanned.</Description>
<Error></Error>
<Id value="1507" />
<ImportedPath>Intel SA-00086\Intel SA-00086 - Not Scanned</ImportedPath>
<Modified>2017-11-27T13:33:39.0000000-07:00</Modified>
<Name>Intel SA-00086 - Not Scanned</Name>
<ParentId value="1504" />
<Path>Intel SA-00086\Intel SA-00086 - Not Scanned</Path>
<TypeName>DynamicCollection</TypeName>
<Type>DynamicCollection</Type>
<Children type="list" />
</Collection>
</Children>
</Collection>
</AdminArsenal.Export>
Raw
Intel SA-00086 Package.xml
<?xml version="1.0" encoding="utf-8"?>
<AdminArsenal.Export Code="PDQDeploy" Name="PDQ Deploy" Version="14.2.0.0" MinimumVersion="9.0">
<Package>
<CurrentLibraryPackageVersionId value="null" />
<PackageDefinition name="Definition">
<CopyMode>Default</CopyMode>
<DelayedApprovalTimeSpan>7.00:00:00</DelayedApprovalTimeSpan>
<DownloadApprovalMode>Manual</DownloadApprovalMode>
<InventoryScanProfileId value="7" />
<IsDownloadApprovalModeInherited value="true" />
<ScanAfterDeployment value="true" />
<Steps type="list">
<PowerShellStep>
<CustomCommandLine></CustomCommandLine>
<Files></Files>
<Script>$VirtualMachineModels = @(
"VMware Virtual Platform", # VMware
"Virtual Machine", # Microsoft Hyper-V
"HVM domU", # Xen
"VirtualBox" # VirtualBox
)
$ComputerModel = ( Get-WmiObject Win32_ComputerSystem ).Model
Write-Output "Model: $ComputerModel"
Foreach ( $VirtualMachineModel in $VirtualMachineModels ) {
if ( $ComputerModel -eq $VirtualMachineModel ) {
Write-Error "This target is a virtual machine, aborting."
Exit 20
}
}</Script>
<SuccessCodes>0</SuccessCodes>
<RunAs value="null" />
<Conditions type="list">
<PackageStepCondition>
<Architecture>Both</Architecture>
<Version>All</Version>
<TypeName>OperatingSystem</TypeName>
</PackageStepCondition>
<PackageStepCondition>
<IsUserLoggedOn>AlwaysRun</IsUserLoggedOn>
<TypeName>LoggedOnUser</TypeName>
</PackageStepCondition>
</Conditions>
<ErrorMode>StopDeploymentFail</ErrorMode>
<Title>Check for virtual machines</Title>
<TypeName>PowerShell</TypeName>
<IsEnabled value="true" />
<IsPostStep value="false" />
<IsPreStep value="false" />
</PowerShellStep>
<InstallStep>
<CustomCommandLine></CustomCommandLine>
<FileName>$(Repository)\Intel\SA00086_Windows\DiscoveryTool\Intel-SA-00086-console.exe</FileName>
<Files></Files>
<IncludeDirectory value="true" />
<LeaveInstallFile value="false" />
<MsiOperation>Install</MsiOperation>
<MsiQuiet value="true" />
<MsiRestart>Never</MsiRestart>
<Parameters>-d 0</Parameters>
<SuccessCodes>0,100,101,1641,3010,2359302</SuccessCodes>
<RunAs value="null" />
<Conditions type="list">
<PackageStepCondition>
<Architecture>Both</Architecture>
<Version>All</Version>
<TypeName>OperatingSystem</TypeName>
</PackageStepCondition>
<PackageStepCondition>
<IsUserLoggedOn>AlwaysRun</IsUserLoggedOn>
<TypeName>LoggedOnUser</TypeName>
</PackageStepCondition>
</Conditions>
<ErrorMode>StopDeploymentFail</ErrorMode>
<Title>Run the detection tool</Title>
<TypeName>Install</TypeName>
<IsEnabled value="true" />
<IsPostStep value="false" />
<IsPreStep value="false" />
</InstallStep>
</Steps>
<Timeout value="60" />
<UseCustomTimeout value="false" />
<RunAs value="null" />
</PackageDefinition>
<Description>https://downloadcenter.intel.com/download/27150
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&amp;languageid=en-fr
Due to a bug in Deploy 15.3 I had to include 100 as a Success code.</Description>
<NewLibraryPackageVersionId value="null" />
<Version>1</Version>
<IsAutoDownload value="false" />
<FolderId value="15" />
<LibraryPackageVersionId value="null" />
<Name>Intel SA-00086 Detection</Name>
<Path>Intel SA 00086\Intel SA-00086 Detection</Path>
<PackageDisplaySettings name="DisplaySettings">
<DisplayType>Normal</DisplayType>
<IconKey>Icon-Package</IconKey>
<SortOrder value="17" />
</PackageDisplaySettings>
</Package>
</AdminArsenal.Export>
Raw
Intel SA-00086 Reports.xml
<?xml version="1.0" encoding="utf-8"?>
<AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="3.1">
<ReportFolder>
<Name>Intel SA-00086</Name>
<ParentId value="1" />
<Path>Reports\Intel SA-00086</Path>
<Children type="list" />
<Reports type="list">
<Report>
<ReportDefinition name="Definition">
<RootFilter name="Filter">
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Registry</Table>
<Column>PathName</Column>
<Comparison>Contains</Comparison>
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Name</Column>
<Comparison>Equals</Comparison>
<Value>System Risk</Value>
</ValueFilter>
</Filters>
</RootFilter>
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
<Columns type="list">
<Column>
<Column>Name</Column>
<Summary></Summary>
<Table>Computer</Table>
<Title></Title>
</Column>
<Column>
<Column>Value</Column>
<Summary></Summary>
<Table>Registry</Table>
<Title>System Risk</Title>
</Column>
</Columns>
</ReportDefinition>
<Created>2017-11-21T16:10:01.0000000-07:00</Created>
<Description></Description>
<IsNew value="false" />
<Modified>2017-11-22T15:15:29.0000000-07:00</Modified>
<Name>Intel SA 00086 - All Scanned Computers</Name>
<Path>Reports\Intel SA-00086\Intel SA 00086 - All Scanned Computers</Path>
<ReportFolderId value="33" />
<TypeName>BasicReport</TypeName>
<ReportType>BasicReport</ReportType>
</Report>
<Report>
<ReportDefinition name="Definition">
<Sql>SELECT
Computers.Name AS "Computer Name",
-- https://stackoverflow.com/a/3611606
MAX(CASE WHEN RegistryEntries.Name = 'System Risk' THEN RegistryEntries.Value END) AS "System Risk",
MAX(CASE WHEN RegistryEntries.Name = 'ME Version' THEN RegistryEntries.Value END) AS "ME Version"
FROM
Computers
INNER JOIN
RegistryEntries ON Computers.ComputerId = RegistryEntries.ComputerId
WHERE
&lt;ComputerFilter&gt;
GROUP BY Computers.Name</Sql>
<ReportDefinitionTypeName>SqlReportDefinition</ReportDefinitionTypeName>
</ReportDefinition>
<Created>2017-11-22T10:04:32.0000000-07:00</Created>
<Description></Description>
<IsNew value="false" />
<Modified>2017-11-22T15:15:43.0000000-07:00</Modified>
<Name>Intel SA 00086 - All Scanned Computers + ME Version</Name>
<Path>Reports\Intel SA-00086\Intel SA 00086 - All Scanned Computers + ME Version</Path>
<ReportFolderId value="33" />
<TypeName>SqlReport</TypeName>
<ReportType>SqlReport</ReportType>
</Report>
<Report>
<ReportDefinition name="Definition">
<RootFilter name="Filter">
<Comparison>All</Comparison>
<Filters type="list">
<ValueFilter>
<Table>Registry</Table>
<Column>PathName</Column>
<Comparison>Contains</Comparison>
<Value>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Name</Column>
<Comparison>Equals</Comparison>
<Value>System Risk</Value>
</ValueFilter>
<ValueFilter>
<Table>Registry</Table>
<Column>Value</Column>
<Comparison>Equals</Comparison>
<Value>This system is vulnerable.</Value>
</ValueFilter>
</Filters>
</RootFilter>
<ReportDefinitionTypeName>BasicReportDefinition</ReportDefinitionTypeName>
<Columns type="list">
<Column>
<Column>Name</Column>
<Summary></Summary>
<Table>Computer</Table>
<Title></Title>
</Column>
</Columns>
</ReportDefinition>
<Created>2017-11-22T10:02:40.0000000-07:00</Created>
<Description></Description>
<IsNew value="false" />
<Modified>2017-11-22T15:20:28.0000000-07:00</Modified>
<Name>Intel SA 00086 - Vulnerable</Name>
<Path>Reports\Intel SA-00086\Intel SA 00086 - Vulnerable</Path>
<ReportFolderId value="33" />
<TypeName>BasicReport</TypeName>
<ReportType>BasicReport</ReportType>
</Report>
</Reports>
</ReportFolder>
</AdminArsenal.Export>
Raw
Intel SA-00086 Scan Profile.xml
<?xml version="1.0" encoding="utf-8"?>
<AdminArsenal.Export Code="PDQInventory" Name="PDQ Inventory" Version="14.1.0.0" MinimumVersion="3.1">
<ScanProfile>
<Scanners type="list">
<Scanner>
<ExcludePattern></ExcludePattern>
<Hive>HKEY_LOCAL_MACHINE</Hive>
<IncludePattern>SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status\System Risk
SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\ME Firmware Information\ME Version</IncludePattern>
<RowLimit value="2500" />
<TypeName>Registry</TypeName>
<SourceScannerId value="31" />
</Scanner>
</Scanners>
<ScheduleTriggerSet name="ScheduleTriggers">
<Triggers type="list" />
</ScheduleTriggerSet>
<Description></Description>
<ScanProfileId value="7" />
<Name>Intel SA-00086</Name>
</ScanProfile>
</AdminArsenal.Export>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment