Sunday, February 12, 2017

SCCM Inventory - Internet Explorer and Mozilla Firefox Plugins


In the previous article we covered SCCM inventory for the Google Chrome Cisco WebEx Plugin.  Knowing your security office, they have now asked you to gather the Cisco WebEx Plugins for Internet Explorer and Mozilla Firefox to get ahead.  Lets look into that.

Like the previous article, we will gather all plugins so we have them for future exploits but we will create a custom SQL report to single out just the Cisco WebEx plugins for now.

Inventory of Internet Explorer plugins is thankfully simple in SCCM.  In the SCCM Console simply go to "Administration - Overview - Client Settings" and then go to properties of the "Default Client Settings".  From here go to "Hardware Inventory" and then click on "Set Classes...".  Now your going to place a check in the box for "Browser Helper Object" and OK twice to apply the settings.




Once clients check in and data is collected you can then create an SSRS report using the SQL query below.  One thing you will notice is that the Product Version oddly uses commas instead of periods between version numbers.  We are using the "Replace" command in the SQL query to remove the commas and in place put periods.  And of course, you can see the "Where" statement is looking for specifically Cisco WebEx.  Be careful on copy and pasting this directly into SQL, you might need to paste into notepad first to remove any web formatting such as non-standard quotes or commas in the below query.

-------------------------------------------------------------------

select distinct 
     v_R_System.Netbios_Name0, 
     v_R_System.User_Name0,
     v_GS_BROWSER_HELPER_OBJECT.Product0,
     Replace (v_GS_BROWSER_HELPER_OBJECT.ProductVersion0, ', ', '.') AS ProductVersion0,
     v_GS_BROWSER_HELPER_OBJECT.Publisher0,
     v_GS_BROWSER_HELPER_OBJECT.Description0

from  
     v_R_System 
     inner join v_GS_BROWSER_HELPER_OBJECT on v_GS_BROWSER_HELPER_OBJECT.ResourceID = v_R_System.ResourceId 

where 
     v_GS_BROWSER_HELPER_OBJECT.Publisher0 like '%Cisco%WebEx%'

Order by Netbios_Name0

-------------------------------------------------------------------


Now for the FireFox plugins we will modify our "Configuration.MOF" file and then import  two custom MOF files into Hardware Inventory.  Below is what you need to add to the bottom of your "Configuration.MOF" file.

-------------------------------------------------------------------

// Add these lines to the end of your Configuration.MOF

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("FireFoxPlugins", NOFAIL)
[dynamic, provider("RegProv"), ClassContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\MozillaPlugins")]
Class FireFoxPlugins
{
[key] string KeyName;
[PropertyContext("Path")] String Path;
[PropertyContext("ProductName")] String ProductName;
[PropertyContext("Vendor")] String Vendor;
[PropertyContext("Description")] String Description;
[PropertyContext("Version")] String Version;
};

#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("FireFoxPlugins64", NOFAIL)
[dynamic, provider("RegProv"), ClassContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\MozillaPlugins")]
Class FireFoxPlugins64
{
[key] string KeyName;
[PropertyContext("Path")] String Path;
[PropertyContext("ProductName")] String ProductName;
[PropertyContext("Vendor")] String Vendor;
[PropertyContext("Description")] String Description;
[PropertyContext("Version")] String Version;
[PropertyContext("XPTPath")] String XPTPath;
};

//End 
-------------------------------------------------------------------

After you paste the above into your "Configuration.MOF" you will then create two new text documents labeled "FirefoxPlugins.MOF" and "FirefoxPlugins64.MOF".  Copy and paste the below code into the appropriate file.

FirefoxPlugins.MOF
-------------------------------------------------------------------

#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("FireFoxPlugins", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("FireFoxPlugins"),SMS_Class_ID("FireFoxPlugins")]
Class FireFoxPlugins: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String Path;
[SMS_Report(TRUE)] String ProductName;
[SMS_Report(TRUE)] String Vendor;
[SMS_Report(TRUE)] String Description;
[SMS_Report(TRUE)] String Version;
};

-------------------------------------------------------------------

FirefoxPlugins64.MOF
-------------------------------------------------------------------

#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("FireFoxPlugins64", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("FireFoxPlugins64"),SMS_Class_ID("FireFoxPlugins64")]
Class FireFoxPlugins64: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String Path;
[SMS_Report(TRUE)] String ProductName;
[SMS_Report(TRUE)] String Vendor;
[SMS_Report(TRUE)] String Description;
[SMS_Report(TRUE)] String Version;
[SMS_Report(TRUE)] String XPTPath;
};

-------------------------------------------------------------------


Once these two files are created go back to the Hardware Inventory Client Settings and this time you will select "Import".  Import the "FirefoxPlugins.MOF" and then the "FirefoxPlugins64.MOF" and OK to save changes to the Client Settings.  Now as clients start reporting in and you are collecting data you can use the SQL query below to create a custom SSRS report.  What you will notice is that the Firefox plugins store in 32bit and 64bit registry keys and that is why we inventory both.  In the query we will combine both of these as it is possible for a system to have entries in both areas of the registry.  Once the two views are combined in our query it then looks specifically for Webex.  

Once again be careful on copy and pasting this directly into SQL, you might need to paste into notepad first to remove any web formatting such as non-standard quotes or commas in the below query.


-------------------------------------------------------------------

Select * from (
select distinct 
     v_R_System.Netbios_Name0, 
     v_R_System.User_Name0,
     v_GS_FireFoxPlugins0.ProductName0 as ProductName,
     v_GS_FireFoxPlugins0.Vendor0 as Vendor,
     v_GS_FireFoxPlugins0.Version0 as Version,
     v_GS_FireFoxPlugins0.Description0 as Description,
     v_GS_FireFoxPlugins0.KeyName0 as Keyname
From  
     v_r_system 
     inner join v_GS_FireFoxPlugins0 on v_GS_FireFoxPlugins0.ResourceID = v_R_System.ResourceId 

Union ALL

Select distinct
     v_R_System.Netbios_Name0, 
     v_R_System.User_Name0,
     v_GS_FireFoxPlugins640.ProductName0 AS ProductName64,
     v_GS_FireFoxPlugins640.Vendor0 As Vendor64,
     v_GS_FireFoxPlugins640.Version0 AS Version64,
     v_GS_FireFoxPlugins640.Description0 AS Description64,
     v_GS_FireFoxPlugins640.KeyName0 AS Keyname64
From
     v_r_system
     inner join v_GS_FireFoxPlugins640 on v_GS_FireFoxPlugins640.ResourceID = v_R_System.ResourceId 
) As U

where 
     u.ProductName like '%webex%'

Order by Netbios_Name0

-------------------------------------------------------------------

Now you have two custom reports, one for Internet Explorer Cisco WebEx plugins and another for Mozilla Firefox Cisco WebEx plugins.  And your also inventorying all Mozilla Firefox and Internet Explorer plugins.  With the combination of inventorying the Google Chrome plugins in the previous article you are now prepared to quickly gather requested data from your Security Office the next time there is a zero-day exploit on a browser plugin in your enterprise.

No comments:

Post a Comment