Udostępnij za pośrednictwem


How to detect Skyrecon software in IAG

By default, IAG is capable of detecting a wide range of software on the client side. What happen if the software I want to check is not in the list ?

I had that constraint with one of my partners, Skyrecon

Here is the methodology we used :

1) asked the partner to create a VBS that will do the checks and will display at the end the result (wscript.echo “XXX”)

2) implement this script in IAG, replace the “Wscript.echo” by “RESULTS”

=> If you are not familiar about how to extend client-side analysis in IAG, check this post :click

Here is the script that we have implemented. WARNING : this script is not supported and is supplied AS IS :

Script Sample

'**********************************************
'** authors
'** Skyrecon :fbonneville@skyrecon.com
'** Microsoft :fesnouf@microsoft.com
'** V1.5 : SUPPLIED AS IS
'**********************************************

Dim isdebug
'set this variable to true if you want to run the VBS on a workstation, will use "wscript.echo" functions
isdebug=False

'Vars for IAG
Dim StormShield_running
StormShield_running = False
Dim StormShield_installed
StormShield_installed = False
Dim StormShield_version
StormShield_version = False
If isdebug=True then
wscript.echo "IAG/StormShield detection script version 1.0"
End If
strVersion = "4.802"
strProcess = "Srservice.exe"
strProcess2 = "Framework.exe"
If isdebug=True Then
wscript.echo "Check StormShield registry keys"
End If
Const HKEY_CLASSES_ROOT = &H80000000
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
'Retrieve StormShield Working Dir From the Registry
strKeyPath = "CLSID\{57E31333-9DE9-49ad-9B65-9DAE61FBFFE3}\Agent\Service\Process0"
strValueName = "WorkingDir"
oReg.GetStringValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,strWrkDir

If isdebug=true then
wscript.echo "Working directory is " &strWrkDir
End If

strKeyPath = "CLSID\{57E31333-9DE9-49ad-9B65-9DAE61FBFFE3}"

strValueName = "Version_id"

 
oReg.GetStringValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,strValue

 
If strValue > 0 Then

If isdebug=true then
wscript.echo "Registry key exists (" & StrValue & ") => StormShield_installed=True, Now check version " & strVersion
End If
StormShield_installed=True
Else
If isdebug=true then
wscript.echo "Reg key is missing => StormShield_installed=false"
End If
StormShield_installed=False
End If

'Check StormShield Version
'====================

Function ReadTextFileTest
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f, Msg
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile( strWrkDir & "\conf\version.sro", ForReading)
ReadTextFileTest = f.Read(10)
End Function

If ReadTextFileTest <> strVersion Then
If isdebug=true then
wscript.echo StrVersion & "Current version is not correct (" & StrVersion & ") => StormShield_version=False"
End If
StormShield_version=False
Else
If isdebug=true Then
wscript.echo "Current version is correct (" & StrVersion & ") => StormShield_version=True Now check " & StrProcess
End If
StormShield_version=True

End If

 
'Check If StormShield is running

'=======================

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = '" & strprocess & "'")
If colProcesses.Count > 0 Then
If isdebug=True then
wscript.echo StrProcess & " is Running, Now check " & StrProcess2
End If
Set colProcesses = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = '" & strprocess2 & "'")
If colProcesses.Count > 0 Then
If isdebug=True Then wscript.echo StrProcess2 & " => StormShield_running=True"
End If
StormShield_running=True
Else
If isdebug=true then
wscript.echo StrProcess2 & " => StormShield_running=False"
End If
StormShield_running=False
End If
Else

 
If isdebug=true then
wscript.echo StrProcess2 & " is not Running => StormShield_running=False"
End If
StormShield_running=False
End If
If isdebug=true then
WScript.Echo "Installed = " & StormShield_installed
WScript.Echo "Running = " & StormShield_running
WScript.Echo "Currentversion = " & StormShield_version
ELSE
Results("StormShield_installed")= StormShield_installed
Results("StormShield_running")= StormShield_running
Results("StormShield_version")= StormShield_version
END IF

‘<END OF THE SCRIPT>

Comments

As you can see at the end, we just put in remark the “wscript.echo” created by the developper of the script (skyrecon) and use the RESULTS function to send this variables/values back to IAG server.