Jump to content

NETWORK breach remediation


Recommended Posts

  • 3 months later...

Thanks Dyllon,

I will also not get any scan result?

My plan is to do the remote scan on a regular basis and automated so I want to use task scheduler.

I used this command and i only got an error code 0.

psexec \\computername <remote_path>\mbmr scan -hyper -remove -noreboot

 

Regards,

Carlo

Link to post
Share on other sites

  • Staff

Your scans should just show under the logs folder in .\logs\MBMR-STDOUT.XML. You can also use the –stdlog:<filepath> switch to change the logging location if you wish. With psexec, you've got to open the remote cmd first, and from that remote cmd, run the mbmr commands. Don't forget to register and update first as well.

 

Here's how I'd approach this. First make a bat file of the remediation scan you want to do. Here's mine, I'm using mbbr here but the commands and principle is the same (save for the name). I've made a full, threat and hyper scan to engage at will.

58c2e81bb2d0f_clientscanbats.JPG.e3ecccd0ee498ee4180019d9612afccf.JPG

 

Here's my hyper scan...

58c2e81eee681_batcommands.JPG.3791b1e0d54a178ed3a4c6584901884a.JPG

 

Here's the commands, note that I'm turning the color option off to better be compatible with psexec's output. Put these bat's in the mbmr directories on the endpoints you with which you wish to interact, same folder as the mbmr/mbbr executable.

mbmr settings -color:off
mbmr register -key:XXXXX-XXXXX-XXXXX-XXXXX
mbmr update
mbmr scan -hyper -remove -noreboot

 

Then from your admin workstation or server, use psexec to start that bat file, my vm in this example has a simple name, "Win8".

58c2e979c3c94_startpsexec.JPG.cb121e13f31d2f7812b2be21bcb8f229.JPG

58c2ea87f2f64_hyperbat.JPG.5273444b840ed2d323f68dfb1d135517.JPG

58c2eb992ea02_coloroffregister.JPG.50c3e687398c6911b60aa04360e46923.JPG

58c2eb9c39e6c_psexechyperbatupdate.JPG.848b1ffc68af552893c96f813f49a652.JPG

58c2eb9debdaf_scaninprogress.JPG.0df083f15d409b058c749e82952ea262.JPG

 

Link to post
Share on other sites

Hi Dyllon,

 

Thank you for giving the details, this is very helpful.

However, is it possible to save the scan result in the admin workstation?

We plan to copy, scan, then delete the entire mbbr folder to the remote host so that no that there will be no trace on the remote workstation. 

 

Regards,

Carlo

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.