Trying to get content out quickly so this won't be pretty.
This is an attempt to collect scripts and quick go-bys for asset owners and incident responders in the Industrial Control Systems sector.
Consider all scripts to have been lightly tested in only my environment so proceed with caution. If you find mistakes or make improvements please contribute back as your are able.
Create-PetyaVaxFiles.PS1 - Creates and verifies magic perfc files in c:\windows
MS17-010-createperfc.bat - Quick and dirty batch file to create magic perfc files in c:\windows
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server - From Microsoft (contains PowerShell scripts to disable/remove)
Explanation and CAUTION: The 'magic' file is supposedly checked by PETYA in order to determine if it should run or not. Developers of malware often make use of these checks to see if they are in a malware analysis system, or to avoid infecting their own systems. This particular magic file is supposed to inoculate and prevent PETYA from running on systems. However, there are conflicting reports on it's effectiveness on different Windows platforms in different configurations and should not be relied on as a fix. The only true fix is to patch your systems per Microsoft advice.
Explanation and CAUTION: Please note that older control systems may rely on SMB1 communications, and disabling of SMB1 on live system may cause issues with communication that could result in unintended consequences. Test all changes prior to deployment in control environments using a methodology that limits impacts to production systems.
MS17-010: Security update for Windows SMB Server: March 14, 2017 - Microsoft Bulletin for MS17-010
Patches That Fix the Vulnerability For MS17-010 - A consolidated list of patches and associated KB. Use these KB in a search at https://www.catalog.update.microsoft.com to find offline patches.
Download-Patches.PS1 - Bulk download all MS17-010 patches (still being updated to cover more patches)
Description of the Windows Update Standalone Installer in Windows - With commandline switches for silent installs
How to verify that MS17-010 is installed - From Microsoft (contains PowerShell scripts to verify install)
NMap for quick and dirty scan to look for vulnerable hosts. USE WITH EXTREME CAUTION so as not to knock devices off the network. The command below will scan a subnet of your choice for port 445, and initiate a check to see if the system is vulnerable to the MS17-010 vulnerability. This script is classified as a 'safe' check by the developer of the script, Paulino Calderon.
Example nmap command line nmap -p445 --script smb-vuln-ms17-010 --max-hostgroup 3 --open X.X.X.X/X
More information on the smb-vuln-ms17-010.nse from NMAP project: https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html
https://www.binarydefense.com/petya-ransomware-without-fluff/
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01I
🔒 Wonderware - Actual Bulletin
Rockwell Automation - Summary of Bulletin for WannaCry
🔒 Rockwell Automation - Actual Bulletin
Rockwell Automation - Patch Support Matrix
Also reference list of vendor resources in ICS-Cert advisory
MIT License. See the LICENSE file for details.