NETWORK breach remediation

[Barboza]

Hello ,
I'm with a doubt can share a folder on my AD with Breach remedition and executes it by psexec? it works ?

[djacobson]

Hi Barboza, you can execute MBBR via psexec, however the MBBR folder should be in a local directory on the computer.

[markcarlo]

Hi Guys,

Good day!

 

Can you share the syntax when using psexec? 

Thank you!

 

Best Regards,

Mark

 

[djacobson]

something like this should get you a remote cmd prompt on the machine you want.

psexec \\computername cmd -h -s 

 

You will need to check the MBBR logs folder for any action failures.

Edited March 10, 2017 by djacobson

[markcarlo]

Thanks Dyllon,

I will also not get any scan result?

My plan is to do the remote scan on a regular basis and automated so I want to use task scheduler.

I used this command and i only got an error code 0.

psexec \\computername <remote_path>\mbmr scan -hyper -remove -noreboot

 

Regards,

Carlo

[djacobson]

Your scans should just show under the logs folder in .\logs\MBMR-STDOUT.XML. You can also use the –stdlog:<filepath> switch to change the logging location if you wish. With psexec, you've got to open the remote cmd first, and from that remote cmd, run the mbmr commands. Don't forget to register and update first as well.

 

Here's how I'd approach this. First make a bat file of the remediation scan you want to do. Here's mine, I'm using mbbr here but the commands and principle is the same (save for the name). I've made a full, threat and hyper scan to engage at will.

 

Here's my hyper scan...

 

Here's the commands, note that I'm turning the color option off to better be compatible with psexec's output. Put these bat's in the mbmr directories on the endpoints you with which you wish to interact, same folder as the mbmr/mbbr executable.

mbmr settings -color:off
mbmr register -key:XXXXX-XXXXX-XXXXX-XXXXX
mbmr update
mbmr scan -hyper -remove -noreboot

 

Then from your admin workstation or server, use psexec to start that bat file, my vm in this example has a simple name, "Win8".

 

[markcarlo]

Hi Dyllon,

 

Thank you for giving the details, this is very helpful.

However, is it possible to save the scan result in the admin workstation?

We plan to copy, scan, then delete the entire mbbr folder to the remote host so that no that there will be no trace on the remote workstation. 

 

Regards,

Carlo

[djacobson]

You can either change the logging output to another location within your scan script, or copy the resulting scan log out of the mbbr folder before deletion.