Jump to content

All Activity

This stream auto-updates     

  1. Today
  2. I encountered the same issue before and I had no option but to buy a new computer because there are already viruses in my old computer which I cannot fix. Safes Sydney. Safes Brisbane. Safes Melbourne. Key Safe. Commercial Safes. Deposit Safes. Drug Safes. Key Cabinets. Filling Cabinet Safes. Fireproof Safes. Gun Safes. Home Safes. Security Safes.
  3. Yesterday
  4. This is what I have setup now, two remote monitors.
  5. Now that you can exclude a specific brand from the condition and/or the agent from the monitor completely to get rid of those false positive there is one question remaining: What will you when those will fail ? They won`t get reported because you are ignoring the alerts. Not the best way to handle things imho.
  6. Memorializing this on behalf of @redanthrax:
  7. From the SysAdmin sub Reddit, it seems there may be an easier way to check for this update by checking if a registry key exists (and maybe check what it's set to). I myself was confused about the cumulative updates which is why I searched. More info: https://docs.microsoft.com/en-us/answers/questions/79348/netlogon-secure-channel-cve-2020-1472-clarificatio.html
  8. Thanks for this, it's exactly what we are looking to check! Just want to make sure on the "Limit to" that should be changed to "Server Roles\Server Role - Domain Controllers" or should it be checked on all servers?
  9. https://www.samba.org/samba/security/CVE-2020-1472.html "...since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'. Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf."
  10. You're probably running the script as the default agent user which runs as localsystem. To get into the logged in user's directory you'd have to use the "console execute" or similar script commands to run as a user (it runs the program through the tray icon). Along the lines of what Wesley said, run "set" at the remote command prompt: %windir%\system32> set ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Windows\system32\config\systemprofile\AppData\Roaming ... LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\Local ... Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps ... PUBLIC=C:\Users\Public ... TEMP=C:\Windows\TEMP TMP=C:\Windows\TEMP ... USERNAME=PCNAMEHERE$ USERPROFILE=C:\Windows\system32\config\systemprofile
  11. Here's a little routine that will create a random password, store that password with a username (specified in script global @username@) and a timestamped title in a client's passwords, then uses that set of credentials to create a local administrator account on a Windows device. It's meant to be repetitively scheduled on devices that you want to enforce the existence of the local administrator account upon. Each time the script runs, it checks the age of the stored credentials and, if over the number of days specified in script global @ClientPwMaxAgeInDays@, rolls the password specified in the client passwords. Old credentials are retained in client passwords (with timestamped titles), so the client EDF and computer EDF that is created can be used to check state of the account and cross-ref what password should be used. Will also only update the timestamp in the computer EDF after testing that the specified account has been properly set and added to local admins. Script should import to Scheduled Commands folder. Feedback welcomed! Set AutoLocalAdmin Account.xml
  12. Yes. But beyond those, you should not change anything in SQL. After you import you could use the GUI to adjust some bits.. But probably not.
  13. I had to explode the SQL ( @DarrenWhite99 has so kindly shared with us) to help me better read/interpret it. Here are the fields referenced in the SQL statement and I've marked certain ones using the key described at the bottom. Help? `AgentID`, `GroupID`,⚠️ `SearchID`,⚠️ `Name`, `CheckAction`,❓ `AlertAction`,⚠️ `AlertMessage`, `ContactID`,❔ `interval`,❔ `Where`, `What`,❓ `DataOut`, `Comparor`,❓ `DataIn`, `IDField`, `AlertStyle`,❓ `ScriptID`, `datacollector`, `Category`,⚠️ `TicketCategory`,⚠️ `ScriptTarget`, `GUID`❓ ⚠️ = Check/Verify and Adjust as/if needed (I think) ❓ = Uh...??? ❔ = Might want or need to change???
  14. To answer your question; The SYSTEM context doesn't resolve usernames. To fix it - just use a hardcoded path like C:\Users\Public (or c:\programdata)
  15. To troubleshoot this you should hit the remote CommandPrompt button and then just explore the variable yourself - by typing: ECHO %username% Then in the response you can see what went wrong.
  16. Trying to figure out the correct var for laptop script to copy a file the all users or logged in users %appdata% folder. Like in gpo (c:\Users\%USERNAME%\appdata\roaming\filename) this works fine for gpo but LT creates a domain name folder with the reset of the context. If you use the var %appdata\filename it will just copy to the lt share on the pc. Ive tried different var% but none work what am I missing? Thanks in advance
  17. Couldn't get this to proc until I changed 'AS' to 'USING'... any thoughts?
  18. Last week
  19. Thanks so much for this batch file! I have successfully used it to query and add registry values to the HKCU hive. This works great!
  20. I created a monitor: table: eventlogs field: EventID InSet (5827,5828,5829,5830,5831) ID field: Concat(eventlogs.`TimeGen`,': ', Replace(Replace(eventlogs.`message`,'\'', ''), '\n', '')) AS loggedEvent add'l condition: eventlogs.logname='system' and timegen > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY) We have found zero events so far. From posts on the patchmanagement.org list, it seems that past-EOL Windows 7 is only blocked if the default security settings have been lowered Installing the patch is sufficient to block the attack from Windows computers The concern would be other devices (e.g. NAS joined to the domain? Old Macs maybe?) As for when a specific patch was installed, the Patch History tab will show that so it's presumably somewhere in the database. However that gets pruned out eventually. Windows itself tends to replace its own history for superseded patches, like when a new monthly CU installs. Or, Win10 feature updates erase Windows' own history. We have a search for missing KBs, but note it has issues such as different Win10 FUs tend to have different KB numbers, and this KB will be "missing" once the next monthly CU installs:
  21. Ahh.. The "Limit To" search ID is different for my system. Sorry, I just tossed it up quickly. It doesn't have my usual niceness of validating related IDs based on their name/GUID, etc. Maybe I'll throw an update on it that checks for that.
  22. on a few computers I am getting het error Rename-Computer : Object reference not set to an instance of an object. At line:1 char:1 + Rename-Computer -newname 'CC-***-****UCTION' -DomainCredential (New-O ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Rename-Computer], NullReferenceException + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.RenameComputerCommand Part of the computer name is redacted- all letters I checked that it is at least PS v 3 Get-Host | Select-Object Version Version ------- 5.1.18362.752
  23. UPDATE: Replying to myself so I'm not one of Those Guys who posts a questions, solves it, and then never updates their original question with the solution. The crux of this issue ended up being that the services table is only contains data about services that are currently on the endpoint - it frequently has records removed as services are removed from the computer in question. Our solution was to create a new table and a monitor/script to log newly installed service data into. The script will query the services table first and, if it does not find a record there, query the new table that contains (in theory) historical service data that we have collected. If the service is not in that historical table, we alert on it. Hopefully this helps people trying to solve a similar problem down the road!
  24. Thanks Dad. Just a heads up, the imported SQL came in as this to me.. Automatically creating a ticket, and limited to SQL 2005 servers...
  1. Load more activity
×
×
  • Create New...