Jump to content

DarrenWhite99

Administrator
  • Content Count

    1262
  • Joined

  • Last visited

  • Days Won

    186

DarrenWhite99 last won the day on September 24

DarrenWhite99 had the most liked content!

Community Reputation

446 Excellent

My Information

  • Location
    Redding, California, US
  • Agent Count
    2000 - 3000 Agents

Converted

  • OCCUPATION
    Senior Systems Engineer

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I confirmed the registry check (barring intentional manipulation of the registry) is a better indicator of an appropriate patch being installed than trying to test for specific installed updates. It even flagged systems I thought were patched but on Investigation found had not yet been restarted and thus the patch was installed but not effective. I did update my monitor to not include “in progress” patches so I got the same results, but since the registry check is quick and simple and accurate, I agree it’s the best way to monitor for vulnerable systems.
  2. Basically yeah, that's all that will be returned because that is all that will be written to the DB. But you may have noticed that when you test the monitor it does return more. That's why I made a script to test remote monitors and capture the full result. When the remote monitor alerts, it should trigger this script which will test the monitor again and capture the full output and attach it to the ticket (if already created). NOTE: This only works for monitors where the output can be reproduced. For instance, this cannot be used with event log monitors, SNMP Traps, a monitor that clears itself each time it is checked, etc. The script is attached to this post. GatherRemoteMonitorOutput.xml
  3. Yes. But beyond those, you should not change anything in SQL. After you import you could use the GUI to adjust some bits.. But probably not.
  4. Ahh.. The "Limit To" search ID is different for my system. Sorry, I just tossed it up quickly. It doesn't have my usual niceness of validating related IDs based on their name/GUID, etc. Maybe I'll throw an update on it that checks for that.
  5. I dusted off my old WannaCry monitor and came up with this remote monitor. It searches for known KBs installed on the system and will alert and create a ticket is known KBs are not installed. Over time additional KBs will need to be added to the list, but for now I believe it is complete. The Remote Monitor is using this command if you want to test it without importing the SQL: "%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "& {$tpDebug=0;$MVer=1.0;$ProgressPreference='SilentlyContinue';IF (-not ($psversiontable.psversion -gt 1.9)) {'Error:POSH 2.0+ Required';exit};$tpvalue='4566116|4565349|4565351|4566782|4570333|4571694|457170[23]|4571719|457172[39]|4571736|4571748|4577015|45770[34]8|457705[13]|457706[269]|4577071|4574727';$Errs={}.Invoke();$Outs={}.Invoke();$KBLIST=@{};$KBResult=@();$i=0;$r=0;$h=0;$k=0;try {$WUSess=New-Object -ComObject 'Microsoft.Update.Session';$WUSearch=$WUSess.CreateUpdateSearcher();$FormatEnumerationLimit=-1;$WUHist=$WUSearch.GetTotalHistoryCount();if ($WUHist -gt 0) {$Outs.Add('Loading Windows Update History');$WUSearch.QueryHistory(0, $WUHist)|Select-Object Title,Date,Operation,Resultcode|Where-Object {$_.Operation -match '[12]' -and $_.Resultcode -match '[123]' -and $_.Date -gt '1/1/1980'}|Sort-Object Date,Title|ForEach-Object {$Title=$_.Title;$KBID=$($Title|Select-String 'KB\d{6,7}' -AllMatches|ForEach-Object{$_.matches}|ForEach-Object {$_.Value});IF($KBID) {switch($_.operation){1{$Outs.Add('Adding '+$KBID+': '+$Title);$i+=1;$KBLIST.Set_Item($KBID,$Title)};2{$Outs.Add('Removing '+$KBID);$r+=1;$KBLIST.Remove($KBID)}}}}} else {$Errs.Add('Windows Update History Unavailable')}} catch {$Errs.Add('Error retrieving Windows Update History')};try {$Outs.Add('Loading Get-Hotfix Reported Updates');Get-Hotfix|ForEach-Object {$KBID=$_.HotfixID;IF($KBID -match 'KB\d{6,7}') {$h+=1;if (-not $KBLIST.ContainsKey($KBID)) {$Outs.Add('Adding '+$KBID);$k+=1;$KBLIST.Set_Item($KBID,$KBID)} else {$Outs.Add($KBID+' already found')}}}} catch {$Errs.Add('Error retrieving Get-Hotfix results')};$Outs.Add('Filtering Updates');$KBLIST.GetEnumerator()|sort-object|Where-Object {($_.Value -match 'KB('+$tpvalue+')' -and $tpvalue.Length -gt 25)}|ForEach-Object {$Outs.Add('Successfully Matched '+$_.Name);$KBResult+=$_.Name};IF (-not $($tpvalue.Length -gt 25)) {$Errs.Add('Error - Template Property kbid_ms17_010 not found')};IF ($tpDebug -eq 1) {'Windows Update - '+$i+' installed, '+$r+' removed';'Get-Hotfix - '+$k+'/'+$h+' hotfixes added.';'Matched Updates: '+$KBResult.Count;$Outs.GetEnumerator()};IF ($KBResult) {'Secured - Detected Updates '+$($KBResult)|Out-String} else {'Vulnerable - No Matching KB Found.';$Errs.GetEnumerator()}}" CVE-2020-1472 Zerologon Vulnerability Monitor.sql
  6. That is correct. The Identity (Fieldname) value is what determines if a result is treated as a new alert or as an existing one.
  7. The bundle at https://www.mspgeek.com/applications/core/interface/file/attachment.php?id=8898 includes an XML named "AUTOMATIC - Perform Domain Join.xml". But that XML includes multiple scripts including the "Manual Join" one. (The Automatic join just pre-loads variables for the manual join. It's always using the "Manual Join" script to do the work.)
  8. I managed to make this into an almost 70 line script that can be triggered by a monitor, can create or find an existing ticket, verifies the admin credentials, creates the profile folder, and clears the monitor alert and updates the ticket reporting the outcome. But this is the heart of creating the profile: SHELL as Admin: whoami & whoami /groups | findstr "S-1-5-32-544">NUL&&ECHO SUCCESS - User is Administrator and store the result in %shellresult% IF @shellresult@ Not Contains SUCCESS THEN Jump to :UserIsNotValid SHELL: powershell.exe "$U='%computeruserdomain%'; $Un=$U -replace '^.*?\\',''; $Ud=$U -replace '(^\..*|^[^\\]+|\\.*)$',''; iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('PCMNCi5TeW5vcHNpcw0KICAgUm91Z2ggUFMgZnVuY3Rpb25zIHRvIGNyZWF0ZSBuZXcgdXNlciBwcm9maWxlcw0KLk5PVEVTDQogICBDcmVhdGVkIGJ5OiBKb3NoIFJpY2thcmQgKEBNU19kbWluaXN0cmF0b3IpIGFuZCBUaG9tIFNjaHVtYWNoZXIgKEBkcmliZXJpZikNCiAgIERhdGU6IDI0TUFSMjAxNw0KICAgTG9jYXRpb246IGh0dHBzOi8vZ2lzdC5naXRodWIuY29tL2Nyc2huYnJuNjYvN2U4MWJmMjA0MDhjMDVkZGIyYjRmZGY0NDk4NDc3ZDgNCiAgIA0KICAgQ29udGFjdDogaHR0cHM6Ly9naXRodWIuY29tL01TQWRtaW5pc3RyYXRvcg0KCQkJTVNBZG1pbmlzdHJhdG9yLmNvbQ0KCQkJaHR0cHM6Ly9naXRodWIuY29tL2Nyc2huYnJuNjYNCgkJCXBvd2Vyc2hlbGxwb3NzZS5jb20NCiM+DQojZnVuY3Rpb24gdG8gcmVnaXN0ZXIgYSBuYXRpdmUgbWV0aG9kDQpmdW5jdGlvbiBSZWdpc3Rlci1OYXRpdmVNZXRob2QNCnsNCglbQ21kbGV0QmluZGluZygpXQ0KCVtPdXRwdXRUeXBlKFtpbnRdKV0NCglQYXJhbQ0KCSgNCgkJIyBQYXJhbTEgaGVscCBkZXNjcmlwdGlvbg0KCQlbUGFyYW1ldGVyKE1hbmRhdG9yeT0kdHJ1ZSwNCgkJCQkgICBWYWx1ZUZyb21QaXBlbGluZUJ5UHJvcGVydHlOYW1lPSR0cnVlLA0KCQkJCSAgIFBvc2l0aW9uPTApXQ0KCQlbc3RyaW5nXSRkbGwsDQogDQoJCSMgUGFyYW0yIGhlbHAgZGVzY3JpcHRpb24NCgkJW1BhcmFtZXRlcihNYW5kYXRvcnk9JHRydWUsDQoJCQkJICAgVmFsdWVGcm9tUGlwZWxpbmVCeVByb3BlcnR5TmFtZT0kdHJ1ZSwNCgkJCQkgICBQb3NpdGlvbj0xKV0NCgkJW3N0cmluZ10NCgkJJG1ldGhvZFNpZ25hdHVyZQ0KCSkNCgkkc2NyaXB0Om5hdGl2ZU1ldGhvZHMgKz0gW1BTQ3VzdG9tT2JqZWN0XUB7IERsbCA9ICRkbGw7IFNpZ25hdHVyZSA9ICRtZXRob2RTaWduYXR1cmU7IH0NCn0NCmZ1bmN0aW9uIEdldC1XaW4zMkxhc3RFcnJvcg0Kew0KCVtDbWRsZXRCaW5kaW5nKCldDQoJW091dHB1dFR5cGUoW2ludF0pXQ0KCVBhcmFtKCR0eXBlTmFtZSA9ICdMYXN0RXJyb3InKQ0KIGlmICgtbm90IChbU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5QU1R5cGVOYW1lXSR0eXBlTmFtZSkuVHlwZSkNCgl7DQoJJGxhc3RlcnJvckNvZGUgPSAkc2NyaXB0Omxhc3RlcnJvciB8IEZvckVhY2gtT2JqZWN0ew0KCQknW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSldDQoJCSBwdWJsaWMgc3RhdGljIGV4dGVybiB1aW50IEdldExhc3RFcnJvcigpOycNCgl9DQoJCUFkZC1UeXBlIEAiDQoJCXVzaW5nIFN5c3RlbTsNCgkJdXNpbmcgU3lzdGVtLlRleHQ7DQoJCXVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCgkJcHVibGljIHN0YXRpYyBjbGFzcyAkdHlwZU5hbWUgew0KCQkJJGxhc3RlcnJvckNvZGUNCgkJfQ0KIkANCgl9DQp9DQojZnVuY3Rpb24gdG8gYWRkIG5hdGl2ZSBtZXRob2QNCmZ1bmN0aW9uIEFkZC1OYXRpdmVNZXRob2RzDQp7DQoJW0NtZGxldEJpbmRpbmcoKV0NCglbT3V0cHV0VHlwZShbaW50XSldDQoJUGFyYW0oJHR5cGVOYW1lID0gJ05hdGl2ZU1ldGhvZHMnKQ0KIA0KCSRuYXRpdmVNZXRob2RzQ29kZSA9ICRzY3JpcHQ6bmF0aXZlTWV0aG9kcyB8IEZvckVhY2gtT2JqZWN0IHsgIg0KCQlbRGxsSW1wb3J0KGAiJCgkXy5EbGwpYCIpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiAkKCRfLlNpZ25hdHVyZSk7DQoJIiB9DQogDQoJQWRkLVR5cGUgQCINCgkJdXNpbmcgU3lzdGVtOw0KCQl1c2luZyBTeXN0ZW0uVGV4dDsNCgkJdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOw0KCQlwdWJsaWMgc3RhdGljIGNsYXNzICR0eXBlTmFtZSB7DQoJCQkkbmF0aXZlTWV0aG9kc0NvZGUNCgkJfQ0KIkANCn0NCmZ1bmN0aW9uIE5ldy1Qcm9maWxlRnJvbVNJRCB7DQogDQoJW0NtZGxldEJpbmRpbmcoKV0NCglQYXJhbQ0KCSgNCgkJIyBQYXJhbTEgaGVscCBkZXNjcmlwdGlvbg0KCQlbUGFyYW1ldGVyKE1hbmRhdG9yeT0kdHJ1ZSwNCgkJCQkgICBWYWx1ZUZyb21QaXBlbGluZUJ5UHJvcGVydHlOYW1lPSR0cnVlLA0KCQkJCSAgIFBvc2l0aW9uPTApXQ0KCQlbc3RyaW5nXSRVc2VyTmFtZSwNCgkJW3N0cmluZ10kZG9tYWluID0gJycNCgkpDQoJJG1ldGhvZG5hbWUgPSAnVXNlckVudkNQMicNCgkkc2NyaXB0Om5hdGl2ZU1ldGhvZHMgPSBAKCk7DQoJDQoJaWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJG1ldGhvZG5hbWUpLlR5cGUpDQoJew0KCQlSZWdpc3Rlci1OYXRpdmVNZXRob2QgInVzZXJlbnYuZGxsIiAiaW50IENyZWF0ZVByb2ZpbGUoW01hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkxQV1N0cildIHN0cmluZyBwc3pVc2VyU2lkLGANCgkJIFtNYXJzaGFsQXMoVW5tYW5hZ2VkVHlwZS5MUFdTdHIpXSBzdHJpbmcgcHN6VXNlck5hbWUsYA0KCQkgW091dF1bTWFyc2hhbEFzKFVubWFuYWdlZFR5cGUuTFBXU3RyKV0gU3RyaW5nQnVpbGRlciBwc3pQcm9maWxlUGF0aCwgdWludCBjY2hQcm9maWxlUGF0aCkiOw0KIA0KCQlBZGQtTmF0aXZlTWV0aG9kcyAtdHlwZU5hbWUgJG1ldGhvZG5hbWU7DQoJfQ0KCSRzYiA9IG5ldy1vYmplY3QgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigyNjApOw0KCSRwYXRoTGVuID0gJHNiLkNhcGFjaXR5Ow0KCVdyaXRlLVZlcmJvc2UgIkNyZWF0aW5nIHVzZXIgcHJvZmlsZSBmb3IgJFVzZXJuYW1lIjsNCgkjJFNJRD0gKChnZXQtYWR1c2VyIC1pZCAkVXNlck5hbWUgLUVycm9yQWN0aW9uIFN0b3ApLnNpZC52YWx1ZSkNCiAgaWYoJGRvbWFpbikNCiAgIHsNCgkJJG9ialVzZXIgPSBOZXctT2JqZWN0IFN5c3RlbS5TZWN1cml0eS5QcmluY2lwYWwuTlRBY2NvdW50KCRkb21haW4sICRVc2VyTmFtZSkNCgkJJHN0clNJRCA9ICRvYmpVc2VyLlRyYW5zbGF0ZShbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5TZWN1cml0eUlkZW50aWZpZXJdKQ0KCQkkU0lEID0gJHN0clNJRC5WYWx1ZQ0KICAgfQ0KICAgZWxzZSANCiAgIHsNCgkgICAkb2JqVXNlciA9IE5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5OVEFjY291bnQoJFVzZXJOYW1lKQ0KCSAgICRzdHJTSUQgPSAkb2JqVXNlci5UcmFuc2xhdGUoW1N5c3RlbS5TZWN1cml0eS5QcmluY2lwYWwuU2VjdXJpdHlJZGVudGlmaWVyXSkNCgkgICAkU0lEID0gJHN0clNJRC5WYWx1ZQ0KICAgfQ0KCVdyaXRlLVZlcmJvc2UgIiRVc2VyTmFtZSBTSUQ6ICRTSUQiDQoJdHJ5DQoJew0KCSAgICRyZXN1bHQgPSBbVXNlckVudkNQMl06OkNyZWF0ZVByb2ZpbGUoJFNJRCwgJFVzZXJuYW1lLCAkc2IsICRwYXRoTGVuKSANCgkgICBpZigkcmVzdWx0IC1lcSAnLTIxNDcwMjQ3MTMnKQ0KCSAgIHsNCgkJICAgJHN0YXR1cyA9ICIkdXNlck5hbWUgYWxyZWFkeSBleGlzdHMiDQoJCSAgIHdyaXRlLXZlcmJvc2UgIiR1c2VybmFtZSBDcmVhdGlvbiBSZXN1bHQ6ICRyZXN1bHQiDQoJCX0NCgkJZWxzZWlmKCRyZXN1bHQgLWVxICctMjE0NzAyNDgwOScpDQoJCXsNCgkJCSRzdGF1cyA9ICIkdXNlcm5hbWUgTm90IEZvdW5kIg0KCQkJd3JpdGUtdmVyYm9zZSAiJHVzZXJuYW1lIGNyZWF0aW9uIHJlc3VsdDogJHJlc3VsdCINCgkJfQ0KCSAgIGVsc2VpZigkcmVzdWx0IC1lcSAwKQ0KCSAgIHsNCgkJICAgJHN0YXR1cyA9ICIkdXNlcm5hbWUgUHJvZmlsZSBoYXMgYmVlbiBjcmVhdGVkIg0KCQkgICB3cml0ZS12ZXJib3NlICIkdXNlcm5hbWUgQ3JlYXRpb24gUmVzdWx0OiAkcmVzdWx0Ig0KCSAgIH0NCgkgICBlbHNlDQoJICAgew0KCQkgICRzdGF0dXMgPSAiJFVzZXJOYW1lIHVua25vd24gcmV0dXJuIHJlc3VsdDogJHJlc3VsdCINCgkgICB9DQoJfQ0KCWNhdGNoDQoJew0KCQlXcml0ZS1FcnJvciAkXy5FeGNlcHRpb24uTWVzc2FnZTsNCgkJYnJlYWs7DQoJfQ0KCSRzdGF0dXMNCn0='))); New-ProfileFromSID -Username $Un -Domain $Ud" and store the result in %shellresult% Confirm the credentials actually work. Run powershell to create a profile for the admin user.
  9. Go learn about ActiveSetup. I have kept this bookmark for years, an excellent reference: http://sccmpackager.blogspot.com/2013/07/active-setup-what-is-active-setup.html Or even a script called by HKLM\Software\Microsoft\Windows\CurrentVersion\Run that quickly tests if the software is installed and exits, or installs. ActiveSetup is just checking every login for a registry value to tell if the task has already been performed for this user, and if not it executes it.
  10. Pretty much you just need to get whatever you want into the result, and keep the Fieldname value stable to prevent undesired retriggering. Result can change every time so you don't need to worry about including timestamps in there.
  11. Per https://www.connectwise.com/company/trust , report by sending an email to security@connectwise.com .
  12. The script that collected those is the "Get Product Keys" script. You should make sure that you have the latest version from Solution Center, and make sure that it is running without error. I think it is normally triggered by the Onboarding Script?
  13. Just use One of the scripts sets a pending reboot by creating a registry entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired and adds a scheduled task to delete the entry after a restart. So no matter which application is requesting it you can get the Automate Agent to notice that a restart is needed.
  14. Services.Status isn't a thing. Services.State is what you would be looking for. Here are two ways to build the monitor to find computers where Umbrella_RC is NOT running (either because it is stopped or because it is not installed). The first version is the "Reverse Query" style, which can only be used for alert styles "Once Per XXX". The second version allows you to use "Send Fail after Success" alerting and incorporate logic to ensure the computer is currently online. Example as a Reverse Query: Example using Additional Conditions:
  15. I typically build a self-destruct into my remote monitor .bat files. @echo off SET SCRIPTVERSION=2 SET "EXPECTEDVERSION=" IF NOT "[%~1]"=="[]" SET "EXPECTEDVERSION=%~1" IF NOT DEFINED EXPECTEDVERSION SET "EXPECTEDVERSION=%SCRIPTVERSION%" REM Regular batch stuff here REM Regular batch stuff done. IF "[%EXPECTEDVERSION%]"=="[%SCRIPTVERSION%]" EXIT /B 0 REM Safety check, only purge if we are running from the %WINDIR%\LTSvc folder. ECHO Purging %~nx0 version %SCRIPTVERSION% so that version %EXPECTEDVERSION% can be downloaded to %~dp0. | FINDSTR.EXE /I /C:"%WINDIR%\LTSvc" || EXIT /B 0 REM There must be no extra lines after the next statement. START "Purge Script" /WAIT /B CMD.EXE /c "PING.EXE -n 1 127.0.0.1>NUL&DEL /F "%~f0""&EXIT /B 0 So as I update the .bat, I change the SCRIPTVERSION value. Then I update the remote monitor to pass the version as the first parameter. If the first parameter is missing or matches the version already on the agent, no problem. But if the version does not match, the script deletes itself as its final step. Then the next time it runs a new copy will be downloaded.
×
×
  • Create New...