Skip to content

Instantly share code, notes, and snippets.

@SadProcessor
Created May 2, 2017 23:34
Show Gist options
  • Save SadProcessor/4ec596940c3cfb41eb40a794f871f754 to your computer and use it in GitHub Desktop.
Save SadProcessor/4ec596940c3cfb41eb40a794f871f754 to your computer and use it in GitHub Desktop.
Quick Cmdlet to check this Intel ME Stuff - Uses WMI - Can be run against multiple targets
<#
.Synopsis
Check For Intel Stuff (via WMI)
.DESCRIPTION
Check if vulnerable to Intel Active Management Technology,
Intel Small Business Technology, and Intel Standard Manageability
Escalation of Privilege. [INTEL-SA-00075 - May 1st 2017]
Uses WMI. Can be run against multiple computers.
Returns a risk indication, check links in notes for more info and remediation options
.EXAMPLE
IntelMEStuff
Checks LocalHost
.EXAMPLE
$ComputerList | IntelMEStuff | export-csv Result.csv
Checks ComputerList with specified creds and outputs to csv
,NOTES
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
https://downloadmirror.intel.com/26755/eng/INTEL-SA-00075%20Detection%20Guide-Rev%201.0.pdf
#>
function Test-IntelMEStuff{
[Alias('IntelMEStuff')]
Param(
# target Computer(s) - optional - defaults to localhost
[Parameter(Mandatory=$false,Position=0,ValueFromPipeline=$true)][String[]]$ComputerName=$env:ComputerName,
# Credential for remote queries - optional
[Parameter(Mandatory=$false)][Switch]$Creds
)
Begin{
#Prep Vars
$Output = @()
if($Creds){$CredObj = Get-Credential}
}
Process{
foreach($target in $computerName){
#if Local
if($ComputerName -match "$env:ComputerName|127.0.0.1"){
$Proc = Get-WmiObject Win32_Processor | select Name
$MEI = Get-WmiObject Win32_SystemDriver -Filter "name='MEIx64'"
}
#If Remote
Else{
#if creds
if($Creds){
$Proc = Get-WmiObject Win32_Processor -ComputerName $target -Credential $CredObj | select Name
$MEI = Get-WmiObject Win32_SystemDriver -Filter "name='MEIx64'" -ComputerName $target -Credential $CredObj
}
# No Creds
Else{
$Proc = Get-WmiObject Win32_Processor -ComputerName $target | select Name
$MEI = Get-WmiObject Win32_SystemDriver -Filter "name='MEIx64'" -ComputerName $target
}
}
#Calc risk based on firmware version
Try{
$Version = (Get-Item $MEI.PathName).versioninfo
$V=$version.ProductVersion.Split('.')
#More Info: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Switch($V[0]){
'6'{if($V[1] -le 2 -AND $V[2] -le 61 -AND $V[3] -lt 3535){$Risk=$true}}
'7'{if($V[1] -le 1 -AND $V[2] -le 91 -AND $V[3] -lt 3272){$Risk=$true}}
'8'{if($V[1] -le 1 -AND $V[2] -le 71 -AND $V[3] -lt 3608){$Risk=$true}}
'9'{
if($V[1] -le 1){if($V[2] -le 41 -AND $V[3] -lt 3535){$Risk=$true}}
Elseif($V[1] -eq 5){if($V[2] -le 61 -AND $V[3] -lt 3012){$Risk=$true}}
}
'10'{if($V[2] -le 55 -AND -$V[3] -lt 3000){$Risk=$true}}
'11'{
if($V[1] -eq 0 -AND $V[2] -le 25 -AND -$V[3] -lt 3001){$Risk=$true}
Elseif($V[1] -eq 5 -AND $V[2] -le 27 -AND -$V[3] -lt 3264){$Risk=$true}
Elseif($V[1] -eq 6 -AND $V[2] -le 27 -AND -$V[3] -lt 3264){$Risk=$true}
}
default{$Risk=$false}
}
}catch{}
#Create Object + Add to Output
$Props = @{
'ComputerName'=$Target
'Manufacturer'=$Proc.Manufacturer
'Processor'=$Proc.Name
'Management' = $MEI.DisplayName
'State'=$MEI.state
'Started'=$MEI.Started
'Driver'=$Version.OriginalFilename
'Version'=$Version.ProductVersion
'Risk' = $Risk
}
$Output+=New-Object PSCustomObject -Property $Props
}
}
End{
#Output result object
$Output | select ComputerName,Processor,Management,State,Driver,Version,Risk
}
}
@MrZresH
Copy link

MrZresH commented Jan 14, 2019

Just a friendly reminder, on vulnerable INTEL-SA-00075 the issue is firmware, not a driver issue.
So the solution will be to use "Intel-SA-00075-console.exe -f -p 'YourPath'" to generate a xml and then compare it :)
This file can be downloaded her: https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool

Best Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment