Jump to content

Gavsto

Administrator
  • Content Count

    103
  • Joined

  • Last visited

  • Days Won

    18

Gavsto last won the day on October 8

Gavsto had the most liked content!

Community Reputation

49 Excellent

3 Followers

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Following the release today by the United States Computer Emergency Readiness Team (https://www.us-cert.gov/APTs-Targeting-IT-Service-Provider-Customers), one of the steps they recommend is to use tools to detect intrusions and identify compromised systems and that these tool reports on APT (advanced persistent threat) actors using Sogu (also called PlugX) to compromise MSP systems. NCCIC recommends that network defenders use these tools to help identify APT activity. This is where this script comes in. I've encapsulated the Powershell script into an Automate script. This script uses C# code to generate a list of SOGU filenames based on the algorithm used in the SOGU implant. The script then utilizes PowerShell to query the system for drive information and, if selected, locates any Sogu files found on disk. If found, a ticket, alert and e-mail will be generated. As always I would recommend testing this script thoroughly before running it across your estate. This XML will import two scripts - one to Impact Computing\Security - Maintenance, and another to Impact Computing\Function Scripts - the latter is a Darren White script and is a function script to send results to a technician. If you are going to schedule to run this, I would schedule it out of hours as it has the potential to spike disk IO. This script purposely bypasses the LabTech Guarding Process so it can run longer than 5 minutes, so if the script sticks you will be left with a powershell.exe instance running until reboot. This won't cause an immediate problem, but worth bearing in mind. None of mine stuck during test, and this script should work on anything with Powershell 2 or above. Download is at https://gavsto.com/sogu-file-searcher-connectwise-automate-script/
  2. Gavsto

    Monitoring for Microsoft Office 2019?

    Show us what you have and we'll try and fix it.
  3. Gavsto

    Agent Status Reports

    You'll have to define agent status, it's quite broad.
  4. I have this information in a Remote monitor. I cover how to setup remote monitors here: https://gavsto.com/remote-monitor-trigger-an-alert-when-a-profile-goes-above-a-certain-size-including-setup-tips-for-remote-monitors/ But instead run this in the Executable / Arguments: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -command "& {(gp -path \"HKLM:\SOFTWARE\Microsoft\Internet Explorer\").svcVersion}" You can then filter out the data using the monitors: You can filter by Client Name in the same windows as well as export to Excel using the options dropdown in the same Window.
  5. Gavsto

    Speed optimization of On-Prem Automate

    @dlong93It is not fixed in Patch 9 annoyingly, is slated for patch 10.
  6. Gavsto

    Automate: New Network Map???

    @dlong93 @bigdog09 I don't believe that it will be extra as it is going into the core product. I also believe that the map will be available in thick client and the new automate web app.
  7. Gavsto

    Daily SQL Script

    DELETE FROM computerroledefinitions WHERE currentlydetected=0 AND `type`=0; Another good one to add to this list! In certain cases will reduce monitor noise - this detects roles that were detected and are now missing from agents. A lot of these will be false positives generated by poorly coded roles (IE a lot of the official ones)
  8. Gavsto

    Symantec.Cloud 22.14.2.13

    Try this one, also attached as an SQL import: To force redetection on agents, Commands > Update Config, Commands > Resend System info SQLDefinitionSymantecCloud.sql
  9. Gavsto

    Internal Monitor Help Needed

    If what you are looking to do is monitor Windows Server Backups. First import this role: Then create a search that searches for everything with that role (You'll need to do an Update Config and Resend System Information on the agents, or you can wait. Then create a group and attach this search as a condition of joining the group. Then create a remote monitor set as the following and attach it to the group: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& {$ErrorActionPreference = 'SilentlyContinue';add-pssnapin windows.serverbackup;$wbs = Get-Wbsummary;$lastsuccessfulbackuptime = $wbs.lastsuccessfulbackuptime;$TimeSpan = $(Get-Date) - [DateTime]$($wbs.lastsuccessfulbackuptime);write-output $($timespan.TotalDays)}" Note I've removed the UKCulture line my screenshot has but that's what goes into Executable/Arguments. The result condition, less than 3, means how many days it has to hit before it triggers the alert. This uses the Windows Server Backup powershell cmdlets to work out how many days since the last successful backup. Ensure you set the alert template. See here for how to attach remote monitors to groups https://gavsto.com/remote-monitor-trigger-an-alert-when-a-profile-goes-above-a-certain-size-including-setup-tips-for-remote-monitors/ Reply in here or come ping me on Slack @gavsto if you have any questions
  10. Gavsto

    Include log file content in ticket

    There are a few ways to do this Jason. One is Script Function, Variable Set, File Contents. The method I use though: If you want the entire log, cut off everything after .log". Obviously replace the Get-Content " " with the path to your log. Using the below though the Select-String will pull back all lines in the log that contain the word "Error" so you don't get the rest of the stuff in the log.
  11. It's a caching issue. The engineers just need to do the following in the top right hand corner of the Automate 12 Window. This should allow them to see any machine that has been added to the system recently:
  12. Do yourself a favour and use the script Function Execute Script > Powershell Bypass. You can then put the PS1 contents directly into the Automate script. Incidentally your script is probably broken because you are no invoking the parameter properly. Example: yourscript.ps1' -Param1 '192.168.1.1' -Param2 'Router'
  13. Good Morning/Afternoon Connectwise Automate Campers! It's time for the next delivery of the LabTechGeek Digest! Automate 12 - Patch 7 After a rocky start with Patch 6, Patch 7 has been relatively stable with no known major issues. Be aware of potential issues with IIS though during the install - not a fault with the patch, but an issue with IIS and Microsoft's July patches. See here for more details: https://bit.ly/2Akrgoz With that in mind, this is a good stable base to upgrade to if you’ve been waiting for a while to upgrade. I continue to be impressed with the speed of development for the new Automate Web App, and I’m sure we’ll see some good additions to it over the next few patches. Hopefully we will see the addition of a Current User/Last Logged on User column soon, it’s the only thing really stopping heavy usage for a lot of the engineers at my MSP. Slack We are now over 3000 users in our Slack, and growth doesn’t seem to be slowing down. Thanks to all Admins and members who contribute. If you’re not already in our Slack, you can join here - https://slack.labtechgeek.com/ We need your Feedback! Thank you to everyone who has already filled in the Feedback form that has been posted in Slack for a few weeks, if you haven’t then we’d really appreciate getting your feedback on our GeekCast and LabTechGeek content in general: https://goo.gl/forms/FAC0m1Gua9fToit13 Agent response slow? Tired of waiting to interact with agents? Offline server alerts flaky? Your heartbeat may be broken Following a conversation in the Slack just over a month ago, I asked a number of members in Slack to check whether their heartbeat was working or not – and a good 40% of the people that checked found this wasn’t working properly. When heartbeat isn’t working it can significantly impact on the day to day running of Automate. If you can answer yes to any of the questions in this sections title, I would advise you have a read of my article on how to identify, and fix problems with heartbeat: https://bit.ly/2OhOONr LabTechGeek Downloads Are you aware of this section of the LabTechGeek Forums? https://www.labtechgeek.com/files/ This is where we have started posting Scripts, SQL Definitions, Role Definitions and more. Over the upcoming months, we are going to start adding more content in here – and you can help. We are going to start giving trusted community members the ability to post files in here. If you want to contribute, please message me on Slack (@gavsto). Some of my favourite ones in there so far: https://www.labtechgeek.com/files/file/17-script-backup/ - Backup your LabTech Scripts into a folder hierarchy that matches the Automate script folders. Each time a script is exported, the last updated time and user information is included, providing multiple script revisions as it is changed over time. https://www.labtechgeek.com/files/file/16-powershell-deployment-scripts/ - Powershell deployment scripts for Powershell 2,3,4,5? Yes please! https://www.labtechgeek.com/files/file/8-bitlocker-enabled/ - Role definition to detect Bitlocker is enabled on a machine. See you next month (ish)! Gavsto and the LabTechGeek Admin Team
  14. Version 1.0.0

    17 downloads

    This SQL can be imported in System > General > Import > SQL File. It will add an additional role definition that detects when a Windows Server Backup is scheduled on an agent. Note - it is possible to have the Windows Server Backup role installed, but without actually using its functionality to backup. This role definition will only detect when a backup has at some point been scheduled.
  15. Gavsto

    Patch Compliance Report by Agent Type

    If you don’t have any luck sorting this I can sort it commercially. Don’t expect it would take longer than an hour or two. Look into grouping on the existing report.
×