Cyber Hygiene Basics

The following is a list of very simple cyber security things you can do to protect your digital life.

  1. Use a password manager.  I recommend LastPass as it is exceedingly useful, accessible from many devices and relatively cheap.  $2/month for premium users and includes feature called Security Challenge which allows you to evaluate the strength of your credentials.
  2. Patch and patch often, in fact just set windows update to automatic!  (Windows 7 and Vista, Windows 10)
  3. Anti-malware… Windows Defender (SCEP) comes standard on Windows 10 and you should be using it
  4. Firewall… if it is disabled, you’ll have trouble.  Enable it and keep it running!
  5. Do not plug USB Flash/Thumb drives in that you do not own or are certain where it is coming from.
  6. Same goes for unknown software.  Be sure you are aware of what you’re installing and that it comes from a solid source.
  7. Do not click on links within emails!!!!  If you want to go to some site like your bank or something, open a web browser separately and access your bank the “normal” way you’ve been trained to do.  Even if the email looks legit… never click on the links!
  8. Never trust “open” or free wifi!!!!!   Look into tethering your cell phone’s data to your laptop or tablet rather than using that “free” internet from the local internet cafe.  If you’ve been trained in network security and protecting yourself, then you can get away with the risk… but if you are not… please do not connect to free wifi!
  9. Backup, backup, and backup!  Use a good online backup service like Crashplan to keep copies of your data.  They are cheap, roughly $10/month/device, but it is well worth the cost if your laptop is stolen, destroyed or hacked.

Lastly, I want to leave you with the simplest recommendation of all… keep track of all your computers and devices!

Advertisements

Dynamic DNS and Cloudflare

I am extremely happy with the services from cloudflare, and with my minions project I wanted an easy way to know where they all were. So I did my research and finally narrowed down a way to use ddclient to update cloudflare.

Installing DDClient to function with CloudFlare on Ubuntu 14.04 LTS

1. Create a domain entry on CloudFlare.com for your fqdn… mycomputer.example.com or whatever you want.domain.com

2. install perl and required modules…

apt-get install perl libjson-any-perl libio-socket-ssl-perl

3. download the latest ddclient files from the official project: http://sourceforge.net/projects/ddclient/
at the time of this writing…

wget http://downloads.sourceforge.net/project/ddclient/ddclient/ddclient-3.8.2/ddclient-3.8.2.tar.gz

4. Untar ddclient files…

tar -xzf ddclient-3.8.2.tar.gz
cd ddclient-3.8.2

5. Download patch file from http://blog.peter-r.co.uk/cloudflare-ddclient-patch.html
at time of this writing…

wget http://blog.peter-r.co.uk/uploads/ddclient-3.8.0-cloudflare-22-6-2014.patch

6. perform patch…

patch < ddclient-3.8.0-cloudflare-22-6-2014.patch

7. Manually install…

mkdir /etc/ddclient
mkdir /var/cache/ddclient
cp ddclient /usr/sbin/
cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf
cp sample-etc_rc.d_init.d_ddclient.ubuntu /etc/init.d/ddclient

8. Edit configuration and make it look like this: (make special note of where I put commas)

vi /etc/ddclient/ddclient.conf

daemon=300
syslog=yes
mail=root
mail-failure=root
pid=/var/run/ddclient.pid
ssl=yes

ssl=yes
protocol=cloudflare,
use=web
server=www.cloudflare.com,
zone=example.com,
login=your@email.com,
password=your-api-key-here
mycomputer.example.com,

9. start the service…

service ddclient start

then to see what happened… logs are pushed into the syslog file… so tail that.

tail /var/log/syslog

10. To ensure ddclient runs at startup… do the following:

sudo update-rc.d -f ddclient remove
sudo update-rc.d ddclient defaults

It took a bit of research and troubleshooting to get this to work consistently… but hope this helps someone. Let me know if you have any questions.

Developing Content 101 – INI Files

Update: Added link to Location sensor on Tanium community website.
So you’d like to create Tanium Content for distribution to your infrastructure. Knowing what you want to do goes a long way to knowing how to do it with Tanium. For this article we’ll start with a very simple scenario: You need to create a brand new INI file that will hold physical location data about each of your endpoints. This INI file will be configured manually but you’d like the data retrieved whenever you need it.
To make this happen we’ll need a few things:
1. Two packages… one for Windows and one for Mac/Linux. Packages are not cross-platform, thus to do what we want, we’ll need to create two packages. The Windows package will contain a simple VBS script that takes are incoming arguments and writes out an INI file. The Mac/Linux both handle shell scripts, so we can create a single shell script to do the same thing our VBS will be doing.
2. One sensor… These are indeed cross-platform and we can embed both a VBS and SH scripts for all three operating systems to read our INI file and return the results.

Development Environment
To get started, we’ll need a test box for all three environments. Most of us have a file synchronization application running like Google Drive, Microsoft’s OneDrive, Dropbox or others. This is a great place to work from since many of these apps also have cross-platform clients.
Start by creating a directory for your project as well as our content. Make it look like this:
> Location Project
>> Content
>>> Sensors
>>>> Location (https://community.tanium.com/repo/sensor/393)
>>> Packages
>>>> Set Location (Windows)
>>>> Set Location (Mac/Linux)

Package: Set Location (Windows)
Most likely you are working from a windows workstation, so let’s start with the VB script since we can very quickly test it on this system. Here is the sudo code for our VB Script:
1. Capture our command line arguments into variables
2. If our INI file already exists, then open for writing, otherwise create it for writing.
3. Write to the INI file in the proper INI format all of our incoming arguments.
To accomplish this we’re going to need two of our highly reused functions:
GetTaniumDir and GeneratePath
These functions will give us the full path of our Tanium Client directory and create any sub directories as needed.
Here is the full Set Location for Windows VB Script:

‘=======================================
’ Set Location
’=======================================

If WScript.Arguments.Count >= 5 Then
Country = Replace(WScript.Arguments.Item(0),“%20”,“ ”)
State = Replace(WScript.Arguments.Item(1),“%20”,“ ”)
City = Replace(WScript.Arguments.Item(2),“%20”,“ ”)
Street = Replace(WScript.Arguments.Item(3),“%20”,“ ”)
Number = Replace(WScript.Arguments.Item(4),“%20”,“ ”)

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Set fso = CreateObject(“Scripting.FileSystemObject”)

locationFilePath = GetTaniumDir(““) & ”Location.ini”
If fso.FileExists(locationFilePath) Then
WScript.Echo “Location.ini File Does Exist – Overwriting”
Set locationFile = fso.OpenTextFile(locationFilePath, ForWriting)
Else
WScript.Echo “Location.ini File Does Not Exist – Creating”
Set locationFile = fso.CreateTextFile(locationFilePath)
End If

locationFile.WriteLine “[Location]”
locationFile.WriteLine “Country=” & Country
locationFile.WriteLine “State=” & State
locationFile.WriteLine “City=” & City
locationFile.WriteLine “Street=” & Street
locationFile.WriteLine “Number=” & Number
locationFile.Close
End If

Function GetTaniumDir(strSubDir)
‘GetTaniumDir with GeneratePath, works in x64 or x32
‘looks for a valid Path value

Dim objShell
Dim keyNativePath, keyWoWPath, strPath

Set objShell = CreateObject(“WScript.Shell”)

keyNativePath = “HKLM\Software\Tanium\Tanium Client”
keyWoWPath = “HKLM\Software\Wow6432Node\Tanium\Tanium Client”

’ first check the Software key (valid for 32-bit machines, or 64-bit machines in 32-bit mode)
On Error Resume Next
strPath = objShell.RegRead(keyNativePath&“\Path”)
On Error Goto 0

If strPath = ““ Then
’ Could not find 32-bit mode path, checking Wow6432Node
On Error Resume Next
strPath = objShell.RegRead(keyWoWPath&”\Path“)
On Error Goto 0
End If

If Not strPath = ”“ Then
If strSubDir <> ”“ Then
strSubDir = ”” & strSubDir
End If

Dim fso
Set fso = WScript.CreateObject(“Scripting.Filesystemobject”)
If fso.FolderExists(strPath) Then
If Not fso.FolderExists(strPath & strSubDir) Then
’’Need to loop through strSubDir and create all sub directories
GeneratePath strPath & strSubDir, fso
End If
GetTaniumDir = strPath & strSubDir & “”
Else
’ Specified Path doesn’t exist on the filesystem
WScript.Echo ”Error: “ & strPath & ” does not exist on the filesystem“
GetTaniumDir = False
End If
Else
WScript.Echo ”Error: Cannot find Tanium Client path in Registry”
GetTaniumDir = False
End If
End Function ’GetTaniumDir

Function GeneratePath(pFolderPath, fso)
GeneratePath = False
If Not fso.FolderExists(pFolderPath) Then
If GeneratePath(fso.GetParentFolderName(pFolderPath), fso) Then
GeneratePath = True
Call fso.CreateFolder(pFolderPath)
End If
Else
GeneratePath = True
End If
End Function ’GeneratePath

Test our “Set Location” script by using the following command line:
cscript setlocation.vbs “US” “Arkansas” “Springdale” “Daniel Ave” “1234”
You should see a brand new “Location.ini” file appear within your Tanium Client directory.
(Note that this script writes to the Program Files directory, so you’ll need administrative access on your command prompt.)

Location Sensor (Windows)
Since we’re still our windows computer, let’s quickly develop the windows script for reading our new Location.ini file. Just like the “Set Location” script, we’ll need a few reusable functions and a new one that will easily read our INI file: GetTaniumDir, GeneratePath, and ReadIni
The sudo code for this script is extremely easy!

1. Locate our INI file
2. Read each property within the INI file
3. Echo to the command prompt which gets picked up by the Tanium client during sensor execution.
The following is our Location Sensor’s VBScript:

‘=======================================
’ Read Location
’=======================================

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Set fso = CreateObject(“Scripting.FileSystemObject”)
locationFilePath = GetTaniumDir(““) & ”Location.ini“
location = Trim(ReadIni(locationFilePath, ”Location“, ”Country“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”State“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”City“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”Street“))
location = location & ”|“ & Trim(ReadIni(locationFilePath, ”Location“, ”Number”))
wscript.echo location

Function ReadIni( myFilePath, mySection, myKey )
’ This function returns a value read from an INI file

’ Arguments:
’ myFilePath [string] the (path and) file name of the INI file
’ mySection [string] the section in the INI file to be searched
’ myKey [string] the key whose value is to be returned

’ Returns:
’ the [string] value for the specified key in the specified section

’ CAVEAT: Will return a space if key exists but value is blank

’ Written by Keith Lacelle
’ Modified by Denis St-Pierre and Rob van der Woude
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim intEqualPos
Dim objFSO, objIniFile
Dim strFilePath, strKey, strLeftString, strLine, strSection

Set objFSO = CreateObject( “Scripting.FileSystemObject” )

ReadIni = “”
strFilePath = Trim( myFilePath )
strSection = Trim( mySection )
strKey = Trim( myKey )

If objFSO.FileExists( strFilePath ) Then
Set objIniFile = objFSO.OpenTextFile( strFilePath, ForReading, False )
Do While objIniFile.AtEndOfStream = False
strLine = Trim( objIniFile.ReadLine )

‘ Check if section is found in the current line
If LCase( strLine ) = “[” & LCase( strSection ) & “]” Then
strLine = Trim( objIniFile.ReadLine )

‘ Parse lines until the next section is reached
Do While Left( strLine, 1 ) <> “[”
‘ Find position of equal sign in the line
intEqualPos = InStr( 1, strLine, “=”, 1 )
If intEqualPos > 0 Then
strLeftString = Trim( Left( strLine, intEqualPos – 1 ) )
‘ Check if item is found in the current line
If LCase( strLeftString ) = LCase( strKey ) Then
ReadIni = Trim( Mid( strLine, intEqualPos + 1 ) )
‘ In case the item exists but value is blank
If ReadIni = “” Then
ReadIni = ” ”
End If
‘ Abort loop when item is found
Exit Do
End If
End If

‘ Abort if the end of the INI file is reached
If objIniFile.AtEndOfStream Then Exit Do

‘ Continue with next line
strLine = Trim( objIniFile.ReadLine )
Loop
Exit Do
End If
Loop
objIniFile.Close
Else
‘WScript.Echo strFilePath & ” doesn’t exists. Exiting…”
Wscript.Quit 1
End If
End Function

Function GetTaniumDir(strSubDir)
‘GetTaniumDir with GeneratePath, works in x64 or x32
‘looks for a valid Path value

Dim objShell
Dim keyNativePath, keyWoWPath, strPath

Set objShell = CreateObject(“WScript.Shell”)

keyNativePath = “HKLM\Software\Tanium\Tanium Client”
keyWoWPath = “HKLM\Software\Wow6432Node\Tanium\Tanium Client”

’ first check the Software key (valid for 32-bit machines, or 64-bit machines in 32-bit mode)
On Error Resume Next
strPath = objShell.RegRead(keyNativePath&“\Path”)
On Error Goto 0

If strPath = ““ Then
’ Could not find 32-bit mode path, checking Wow6432Node
On Error Resume Next
strPath = objShell.RegRead(keyWoWPath&”\Path“)
On Error Goto 0
End If

If Not strPath = ”“ Then
If strSubDir <> ”“ Then
strSubDir = ”” & strSubDir
End If

Dim fso
Set fso = WScript.CreateObject(“Scripting.Filesystemobject”)
If fso.FolderExists(strPath) Then
If Not fso.FolderExists(strPath & strSubDir) Then
’Need to loop through strSubDir and create all sub directories
GeneratePath strPath & strSubDir, fso
End If
GetTaniumDir = strPath & strSubDir & “”
Else
’ Specified Path doesn’t exist on the filesystem
WScript.Echo ”Error: “ & strPath & ” does not exist on the filesystem“
GetTaniumDir = False
End If
Else
WScript.Echo ”Error: Cannot find Tanium Client path in Registry”
GetTaniumDir = False
End If
End Function ’GetTaniumDir

Function GeneratePath(pFolderPath, fso)
GeneratePath = False
If Not fso.FolderExists(pFolderPath) Then
If GeneratePath(fso.GetParentFolderName(pFolderPath), fso) Then
GeneratePath = True
Call fso.CreateFolder(pFolderPath)
End If
Else
GeneratePath = True
End If
End Function ’GeneratePath

Now we have our location.vbs script… so let’s test it… run the following command line:
cscript location.vbs
You should see the lcoation information echo’d out to the command line and pipe | delimited.

Set Location (Mac/Linux)
What we’re trying to accomplish with writing and reading INI files is easily done with Shell script. We are not doing anything special and thus a common Mac/Linux script is possible. If you are trying to “DO” something else, you need to consider the various flavors of Linux like: Red Hat, CentOS, Ubuntu, and so many more.
The sudo code for our Mac/Linux shell script is identical to that of the Windows VBScript, so refer to that section for details.

Let’s switch over to our non-windows computer for further development. Typically I prefer to work on my Mac laptop but on occasion I’ll boot up my Ubuntu laptop to have a different experience. Here is the full script for setting the location on Posix systems:

#!/bin/bash
#=======================================
#Set Location
#=======================================
Country=$1
State=$2
City=$3
Street=$4
Number=$5

echo “[Location]” > ‘../../Location.ini’
echo “Country=$Country” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “State=$State” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “City=$City” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “Street=$Street” | sed -e “s/%20/ /g” >> ‘../../Location.ini’
echo “Number=$Number” | sed -e “s/%20/ /g” >> ‘../../Location.ini’

The working directory for packages in Tanium is within the client directory… Tanium Client/Downloads/Action_XXXX (Where XXXX is your action number). This means to write a file within the Tanium Client directory, you need to go up two as shown in the script above.
To test the above setlocation.sh script, use the following shell commands:
chmod +x setlocation.sh
./setlocation.sh “US” “Arkansas” “Springdale” “Daniel Ave” “1234”
You should find the Location.ini file two directories above where you developed this… and if you’re using the directory structure described at the beginning of this article, it’ll be within the “Content” directory.

Location Sensor (Mac/Linux)
Let’s quickly write up our location.sh script for reading the ini file. Note that the working directory for sensors is the root directory of your Tanium Client… Thus there is no need to go up two directories like we did in the package script. Here is the full location.sh script:

#!/bin/bash
#=======================================
#Read Location
#=======================================
if [ -f Location.ini ]; then
Country=grep -w "^Country" Location.ini| cut -d= -f2
State=grep -w "^State" Location.ini| cut -d= -f2
City=grep -w "^City" Location.ini| cut -d= -f2
Street=grep -w "^Street" Location.ini| cut -d= -f2
Number=grep -w "^Number" Location.ini| cut -d= -f2

echo “$Country|$State|$City|$Street|$Number”
else
echo “”
fi

To test this, copy the Location.ini file into the same directory as your script and run the following commands:
chmod +x location.sh
./location.sh
You should see the exact same output as our Windows VBScript with the location information pipe | delimited.

Pulling It All Together
Now that we have working and validated scripts… it is extremely easy to switch over to the Tanium Console and wrap them up in sensor and package objects for use on our entire infrastructure.

Building the Sensor:
Open your Tanium Console website and navigate to the Authoring->Sensors section. Click the “Add New Sensor” button in the top right.

We will need to define additional columns for the pipe | delimited values…


Next we’ll want to copy and past our VBScript into the Windows script box, and our Shell Script into both the Mac and Linux script boxes.

Building the Packages:
Open your Tanium Console website and navigate to the Authoring->Packages section. Click the “Add New Package” button in the top right.
We’ll start with the “Set Location (Windows)” package. In the files section, choose the “Add Local Files” button and locate/select the “setlocation.vbs” file.

Upon launch, the console user will need to enter some parameters that are written… so click Advanced Settings and configure as follows:

Next we’ll build the “Set Location (Mac/Linux)” package… and just like before, choose the “Add Local Files” button and locate/select the “setlocation.sh” file.

And just like the windows package, we need to configure a few parameters:

Testing
That’s it. Now it’s time to do some expanded testing in your lab.

Ask the following question: Get Computer Name and Location from all machines
Your machines will all reply with no set location. Select one or more of your windows machines and deploy the “Set Location (Windows)” package with some location information to be written.
Run the question again and you should see location information appearing for those windows computers.

Continue testing to validate each of the scenarios you anticipate your console users will want to do.

Post your questions below and I’ll try to answer as best I can.

New Flickr Picture Browsing Site

I did it again! I went looking for a way to easily get links to the picture I publish to flickr for my blog articles. Sadly I couldn’t find what I wanted. So after a few hours of searching I gave up and created one of my own.

Let’s all welcome http://bypicture.com

The value I’m adding here is the ability to type in any flickr user’s name and see an infinite scrolling list of their photo stream. Click on any of the images and you’ll see all the various versions Flickr image sizes along with buttons to copy into your clipboard.

I’m using ByWord on my Mac to create blog articles… so there’s an extra button to click to get properly formatted image code for pasting directly into my article.

If you find this website useful… leave a comment. If you have other formats you’d like me to provide easy buttons for… leave a comment for that too.

Hope you guys find the site as useful as I do!

Tanium How-to SigCheck

If you’ve read my blog over the past few days, you already know that I now work for Tanium. Tanium has a self-named product that is used at many of the top fortune 50 businesses to help them manage and get instant answers on the most common security and systems management questions they face in mere seconds!
I thought I’d start sharing some how-to articles related to the product. I’m still learning myself so I will share as I learn. For this first article, I thought I’d start slightly after the beginning. I’m sure anyone reading this has gotten the full intro and some basic training from their assigned Technical Account Managers. And if you have any questions, the TAMs are always listening and willing to help!
Now, for this first article I want to tackle a problem that comes up all too often when distributing software that might be used by the Tanium client itself. In the example below, I will teach you how to distribute the Sysinternals tool called SigCheck. To do this you will need to produce a few pieces of content:
1. “Has SigCheck” is a sensor that checks your endpoints and determines if you have the utility already installed or not. This sensor allows you to ask the following question: Get Has SigCheck from all machines. This question needs to return a Yes or No depending on the presence of the sigcheck.exe utility.
2. “Distribute SigCheck” is a package that pulls the SigCheck.zip from the Sysinternals website, it also pulls an unzip utility from our Tanium content site and since we’re building this on the Community website, pulls the distributesigcheck.vbs from the Tanium Community website.

The logical process once our content is built is as follows:
1. Ask the question “Get Has SigCheck from all machines”
2. Select the No answer and deploy an action, choose the “Distribute SigCheck” package and you’re execute.

“Has SigCheck” Sensor
Of course this all starts with the basic “has” sensor. To build this we’ll be writing an extremely simple sensor that will check the existence of our file within the Tools directory of our Tanium Client. This vbscript will look a little something like this:

‘========================================
’ Has SigCheck Utility
’========================================

’ This sensor will report on the existence of the sigcheck file.

Option Explicit
Dim objFSO
Dim strTaniumToolsDir, strFile
Set objFSO = CreateObject(“Scripting.FileSystemObject”)

strFile = “sigcheck.exe”
strTaniumToolsDir = GetTaniumDir(“Tools\Sigcheck”)

If objFSO.FileExists(strTaniumToolsDir&strFile) Then
WScript.Echo “Yes”
Else
WScript.Echo “No”
End If

Function GetTaniumDir(strSubDir)
‘GetTaniumDir with GeneratePath, works in x64 or x32
‘looks for a valid Path value

Dim objShell
Dim keyNativePath, keyWoWPath, strPath

Set objShell = CreateObject(“WScript.Shell”)

keyNativePath = “HKLM\Software\Tanium\Tanium Client”
keyWoWPath = “HKLM\Software\Wow6432Node\Tanium\Tanium Client”

’ first check the Software key (valid for 32-bit machines, or 64-bit machines in 32-bit mode)
On Error Resume Next
strPath = objShell.RegRead(keyNativePath&“\Path”)
On Error Goto 0

If strPath = "“ Then
’ Could not find 32-bit mode path, checking Wow6432Node
On Error Resume Next
strPath = objShell.RegRead(keyWoWPath&”\Path“)
On Error Goto 0
End If

If Not strPath = ”“ Then
If strSubDir <> ”“ Then
strSubDir = ”" & strSubDir
End If

Dim fso
Set fso = WScript.CreateObject(“Scripting.Filesystemobject”)
If fso.FolderExists(strPath) Then
If Not fso.FolderExists(strPath & strSubDir) Then
’’Need to loop through strSubDir and create all sub directories
GeneratePath strPath & strSubDir, fso
End If
GetTaniumDir = strPath & strSubDir & “"
Else
’ Specified Path doesn’t exist on the filesystem
WScript.Echo ”Error: “ & strPath & ” does not exist on the filesystem“
GetTaniumDir = False
End If
Else
WScript.Echo ”Error: Cannot find Tanium Client path in Registry"
GetTaniumDir = False
End If
End Function ’GetTaniumDir

Function GeneratePath(pFolderPath, fso)
GeneratePath = False
If Not fso.FolderExists(pFolderPath) Then
     If GeneratePath(fso.GetParentFolderName(pFolderPath), fso) Then
         GeneratePath = True
         Call fso.CreateFolder(pFolderPath)
     End If
 Else
     GeneratePath = True
 End If
End Function ’GeneratePath

Notice that I have copied code from existing sensors, namely the GetTaniumDir function (also requires GeneratePath and RegKeyExists) which reads the registry to determine where our client is installed. Providing an argument will append that to the end of the Tanium directory that was read. The new community will soon have the feature to add reusable code blocks like this with a simple checkbox. But until then, simply copy-paste the functions needed from other code.

“Distribute SigCheck” Package
The distribution package has multiple components that are a bit complicated when combined together. I will boil down each component and help you build this package. The Tanium Client will automatically download all files related to the package for us… they’ll all be sitting in the working directory of the command line we specify. Typically that is Tanium Client\Downloads\Action_XXXX. Knowing that, let’s look at the overall logic we’ll be using:
1. Unzip the SigCheck.zip file
2. Get the Tanium client directory using the same reusable code we added to the sensor.
3. Copy the SigCheck.exe into the Tools directory under the Tanium Client directory.
4. Agree to the Sysinternals EULA by indicating agreement within the Registry. (this is required or the SigCheck utility will hang every time waiting for user input which will never come since you’re running as SYSTEM on the endpoint).

Distributing SigCheck

Steps 1, 2, and 3: Unzip SigCheck.zip into Tools Directory
To unzip our utility we acquired from Microsoft, we’ll need to use a command line unzip utility. In the official content, we often use 7za.exe. It is an extremly small utility we will add to our package with the following details:

Filename: 7za.exe
URI: https://community.tanium.com/files/7za.exe
SHA–256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
Check for Updates: Never

The following reusable code block will be used to unzip our utility zip file:

Sub Unzip(strZipFilePath, strTargetDir)
’ Takes full file path to zip file, path to target directory
’ will extract to target directory as a subdirectory
’ overwriting anything in the subdirectory and showing no UI.
 Dim objShell, objFSO, strCurrentDir, strZipUtil
 Dim strTempDir, strZipFileName, strCommand, intResult

 Set objShell = WScript.CreateObject("WScript.Shell")
 Set objFSO = CreateObject("Scripting.FileSystemObject")

 strCurrentDir = Replace(WScript.ScriptFullName, WScript.ScriptName, "")

 If Not objFSO.FileExists(strZipFilePath) Then
     WScript.Echo "Cannot continue - " & strZipFilePath & " does not exist"
     Exit Sub
 End If

 strZipUtil = strCurrentDir & "7za.exe"

 If Not objFSO.FileExists(strZipUtil) Then 
     WScript.Echo "Cannot continue - " & strZipUtil & " does not exist"
     Exit Sub
 End If 

 If Not objFSO.FolderExists(strTargetDir) Then
     objFSO.CreateFolder(strTargetDir)
 End If

 strZipFileName = objFSO.GetFile(strZipFilePath).Name
 ' remove .zip from end"
 If InStr(LCase(strZipFileName),".zip") = Len(strZipFileName) - 3 Then ' ends in zip
     strZipFileName = Left(strZipFileName,Len(strZipFileName) - 4)
 End If
 strTempDir = strCurrentDir & strZipFileName
 WScript.Echo "Unzipping to " & strTempDir
 If Not objFSO.FolderExists(strTempDir) Then
     objFSO.CreateFolder strTempDir
 End If

 strCommand = Chr(34) & strZipUtil & Chr(34) & " x -y -o" & Chr(34) & strTempDir & Chr(34) & " " & Chr(34) & strZipFilePath & Chr(34)

 WScript.Echo "running unzip:"
 WScript.Echo "   command: " & strCommand

 objShell.Run strCommand, 0, True

 If objFSO.FolderExists(strTempDir) Then
     WScript.Echo "Copying " & strTempDir & " to " & strTargetDir
     On Error Resume Next
     intResult = objFSO.CopyFolder(strTempDir,strTargetDir,True) ' overwrite
     On Error Goto 0
     If intResult = 0 Then
         WScript.Echo "Success"
     Else
         WScript.Echo "Failure - result is " & intResult
     End If
 End If
End Sub ’Unzip

This function allows us to unzip with a single command: Unzip Source-Zip-File Destination-Folder
We’ll accomplish steps 1–3 in one fail swoop after setting up a few variables for use. We need the full path of our zip file as well as the destination folder to extract into. To get our current working directory where the zip file was downloaded for us, we can use the filesystem object as follows:

Set objShell = CreateObject(“WScript.shell”)
strCurrentDir = objShell.CurrentDirectory
To get the destination folder, we’ll reuse the technique we learned from the sensor above to get the tanium client directory:
strTaniumDir = GetTaniumDir(“Tools”)
Now accomplishing steps 1 through 3 is as easy as:
Unzip strCurrentDir&“\SigCheck.zip”, strTaniumDir

Step 4: Agree to Sysinternals EULA
Before we can execute the SigCheck utility, Sysinternals requires you to agree to their EULA. When you execute it for the first time a popup box appears with the EULA with an Agree or Cancel button. After some research I learned the EULA agreement flag is stored in the users profile inside of the registry. (HKEY_CURRENT_USER\Software\Sysinternals\SigCheck)
Before the Tanium Client can use this utility, the SYSTEM user must agree to the EULA. This presents a problem since SYSTEM doesn’t have a UI nor are we sitting at the thousands of machines we want to run the utility on. Thus we will need to indicate agreement by adding the “EulaAccepted” registry value. We’ll do that with the following code:

Dim WshShell
Set WshShell = WScript.CreateObject(“WScript.Shell”)
WshShell.RegWrite “HKEY_CURRENT_USER\Software\Sysinternals\SigCheck\EulaAccepted”, “1”, “REG_DWORD”
set WshShell = Nothing

Downloads
You can download the “Has SigCheck” sensor from the Tanium Community website at: https://community.tanium.com/repo/sensor/788
I’m still building the packages feature of our Community so I’ll follow up later with the package download link.

Bonus… Distribute SigCheck Automatically
All done! To review, we built a sensor to check the existance of our SigCheck utility and built a package to distribute it to our computers. The only problem now is we may want to have distribution occur anytime an endpoint comes online and doesn’t have the utliity. To accomplish this we’ll need to ask our new sensor question and deploy our new package with the reissue option specified. The following is a screen shot of what this looks like:

Reissue SigCheck

New Mac Enthusiast

It’s official enough that I’m willing to announce it. I am now a Mac person. During this past summer I traded my motorcycle for a Macbook Air and a few other gadgets and some cash for savings. This Macbook Air was used off and on as a place for me to develop the bigfix.me community content and as a way to separate work projects from personal ones. This worked out well, but it still was no where as equivalent to my desktop computer which was an i7 with 16gb ram and a SSD. The Macbook Air had a paltry i3, 4gb of ram and an SSD.
Since leaving IBM, I have since purchased the latest Macbook Pro (late 2013) with a retina screen and fully equipped… i7, 16gb ram and a 512mb SSD. Now this is a competitive piece of hardware and it’s portable.
I have since done everything on this new Mac, and what I can’t do here I remote into one of the dozen or so workstations and servers at my disposal. I even built the new Tanium community using PHP, jQuery, Ajax, Javascript and CSS using a very nice Mac app called Coda 2.
There is very little that I haven’t been able to do. If you haven’t tried a Mac before, I would challenge you to purchase a Macbook. Don’t forget to double-down and pay the extra to max out your configuration… you won’t be sorry!