jgstew / bigfix-content Goto Github PK

Many SysInternals tools can be downloaded directly from: https://live.sysinternals.com/

Completed:

• Create Content for SysInternals Autoruns: #10
• Create content for SysInternals sigcheck certs: #9

Candidates:

• https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
• https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist
• https://docs.microsoft.com/en-us/sysinternals/downloads/psfile
• https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
• https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon
• https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
• https://docs.microsoft.com/en-us/sysinternals/downloads/psping
• https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
• https://docs.microsoft.com/en-us/sysinternals/downloads/movefile
• https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo
• https://docs.microsoft.com/en-us/sysinternals/downloads/sync
• https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
• https://docs.microsoft.com/en-us/sysinternals/downloads/regjump
  • this would be useful in demos to open directly to uninstall keys
• https://docs.microsoft.com/en-us/sysinternals/downloads/strings
  • useful to find undocumented strings in binary files
• https://docs.microsoft.com/en-us/sysinternals/downloads/zoomit
  • I might want to use this for presentations, the windows built in one is annoying.
• SigCheck but for EXEs: https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
  • Very Slow, took 3 hours on my Windows Folder

My hope is to have something like a Visual Studio Code Extension to enable this, but also make it easier to do this in any language anywhere.

Validation / Linting:

• Is it valid Relevance?
• Is it valid ActionScript? ActionScript.schclass
• Is it valid XML?
• Does the XML conform to BES.xsd schema or related schema?

Syntax Highlighting:

• Colorize Relevance / Actionscript as you type
• Can this be done within an XML file as well???
• briangreenery/highlight.js@3b565ed

Debugging:

• Run Relevance locally using QnA binary
• Remote Debug Relevance using BigFix Fast Query Channel

References:

• https://github.com/briangreenery/BigFix-Sublime-Extensions
• https://github.com/itsmpro92/BigFix/blob/master/BF%20Relevance%20UDL.xml
• https://forum.bigfix.com/t/actionscript-code-snippets/21572
• https://forum.bigfix.com/t/language-definitions-for-notepad/32101/6
• https://github.com/briangreenery/relevance-parser-js
• briangreenery/highlight.js@3b565ed

• https://github.com/jgstew/bigfix-content/blob/master/fixlet/Test%20Fixlet%20Evaluation-Period.bes

automatically escape { in powershell, add it to a createfile command with actionscript to run it.

There are tons of existing projects out there, but not a lot of example content to use them.

Starting with these logs:

• Security
• System
• Application

Using the Security Log as an example, the current settings seem to be stored here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

While the Group Policies that also affect this are here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security

It seems like the policies location overrules the other location, which makes sense.

Relevance:

To get the max log size setting (in MB) assuming no policy, then it should be:

(it / 1024) of (it as integer) of values "MaxSize" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" of registries

Getting the same but set by policy would be:

(it as integer) of values "MaxSize" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries

Combined, getting only policy location first, otherwise getting regular location:

(it as integer) of value "MaxSize" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security" of registries | (it / 1024) of (it as integer) of value "MaxSize" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" of registries | ERROR "NoValue"

Changing the setting for "archive the log when full, do not overwrite events" in the GUI sets both the AutoBackupLogFiles setting and the Retention values here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

Related:

• https://bigfix.me/fixlet/details/24619
• https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html
• https://blogs.manageengine.com/active-directory/2015/03/20/autoarchiving-security-logs-in-event-viewer.html
• https://github.com/strawgate/C3-Inventory/blob/master/Analyses/Event%20Log%20-%20Windows.bes

I'd recommend reviewing this related presentation first: https://drive.google.com/file/d/1dUqdTSuqex-c-3Iu33cnWEP6oV0vN0tm/view?usp=sharing

Make content that can be safely used to set recommended client settings that can be taken as a policy action targeted to ALL COMPUTERS. These are conservative, not setting anything that shouldn't be left in place in almost all cases, and most of the settings are only set if not already set to a different value, and only set once, so that if they are overridden later, then so be it. (command polling is an exception, the interval can be changed, but it MUST be enabled with an interval no greater than once every 6 hours)

Content ready to deploy:

• Set "_BESClient_Resource_PowerSaveEnable" once after 2 days in bigfix: https://github.com/jgstew/bigfix-content/blob/master/fixlet/clientsettings/Set%20__BESClient_Resource_PowerSaveEnable_%20to%20_1_%20after%202%20days%20-%20Universal.bes
• Set command polling to at least once every 6 hours: (if unset or set to a longer interval) https://github.com/jgstew/bigfix-content/blob/master/fixlet/clientsettings/Force%20CommandPollInterval%20to%20be%20less%20than%206%20hours%20-%20Universal%20-%20Policy.bes
• Set initial client settings if unset: https://github.com/jgstew/bigfix-content/blob/master/fixlet/clientsettings/Recommended%20Client%20Settings%20-%20Initial%20Provisioning%20Speed%20up%20-%20Long%20term%20settings.bes
• Policy action to force command polling to be enabled: https://github.com/jgstew/bigfix-content/blob/master/fixlet/clientsettings/Set%20__BESClient_Comm_CommandPollEnable_%20to%20_1_%20-%20Universal.bes

For other settings:

Windows Console Dashboard to help generate tasks to manage bigfix client settings:

• https://github.com/jgstew/bigfix-content/blob/master/dashboards/ClientSettingsManager.ojo

Other Example Fixlets to set client settings:

• https://github.com/jgstew/bigfix-content/tree/master/fixlet/clientsettings

Related:

• https://bigfix.me/fixlet/details/26657
• https://bigfix.me/fixlet/details/87
• https://bigfix.me/fixlet/details/6117
• https://bigfix.me/fixlet/details/5024
• https://github.com/jgstew/bigfix-content/tree/master/fixlet/clientsettings
• https://github.com/jgstew/bigfix-content/blob/master/dashboards/ClientSettingsManager.ojo
• https://github.com/jgstew/jgstew.github.io/tree/master/_bfsettings
• https://github.com/jgstew/jgstew.github.io/blob/master/_bfsettings/_BESClient_Resource_PowerSaveEnable.md
• https://gist.github.com/jgstew/51a99ab4b5997efa0318

Use BigFix content to more easily setup and forward SysLog data to a collector. ( NXlog, ELK, Splunk, Graylog )

Start with arbitrary data, then BigFix logs, then OS logs.

• https://bigfix.slack.com/archives/CA4N683J6/p1581108583118900
• https://nxlog.co/products/nxlog-community-edition
• https://github.com/strawgate/C3-Inventory#nxlog

Create content for sigcheck: https://twitter.com/swiftonsecurity/status/946532192460648448?s=21

sigcheck.exe -accepteula -c -nobanner -tv * -u

SigCheck will download the current Microsoft Trusted Root Store and look for any certificates not rooted by it that would be considered invalid on a default windows install. Any positive results are likely malicious or inappropriate (eDellRoot) and should be investigated.

Related:

• https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
• https://forum.bigfix.com/t/working-to-detect-and-remove-the-edellroot-malicious-root-certificate/15089

see if during action execution you can check what the reapply behavior is set to and fail if it is too often

This matters if something like this is set to reapply every day: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Compress%20and%20Upload%20System%20Logs%20-%20Windows.bes#L124

Can use the action header task to investigate: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Test%20Action%20Header%20Info%20-%20Universal.bes

The dell catalog has an entry for Precision 3431 but in at least some cases, the actual model is reported as Precision Tower 3431 so then the relevance doesn't match.

This example was provided:

Q: exists values "product_name" whose(it as string as trimmed string as uppercase contains "Precision 3431" as trimmed string as uppercase) of structures "system_information" of smbios
A: False
T: 1.1000 ms
Q: ("Precision Tower 3431" as uppercase) = ((value "product_name" of structures "system_information" of smbios) as string as trimmed string as uppercase)
A: True
T: 4.000 ms

It may work to check that the model string starts with Precision and ends with 3431 but the model number MUST have a space before the numerals, because some models might be E7000 vs 7000 and the relevance needs to make sure to not think the BIOS update for model 7000 also applies to model E7000

It would be nice to have the unique set of results of (it as string as trimmed string) of values "product_name" of structures "system_information" of smbios across as many Dell / HP / Lenovo systems as possible to find these edge cases.

Turn existing content for creating MSI uninstallers with a RESTAPI/Fixlet into a Console Dashboard

• https://www.bigfix.me/relevance/details/3009843
• https://bigfix.me/fixlet/details/14143

This was brought up in the BigFix slack and I think it is a great idea to have a fixlet to set BigFix to be able to run in Windows Safe Mode.

Related:

• https://superuser.com/a/884047
• https://superuser.com/a/570827/413576

Related:

• https://unix.stackexchange.com/questions/118265/how-to-encyrpt-a-message-using-someones-ssl-smime-p7s-file

Create a simplified dashboard that creates a prefetch and nothing more.

See function CreateAction() in file: BES Support\SWDistributionSummary.js

Will also need this in the OJO at least: var isEvansOrLater = '<?relevance if (exists property "datastore inspectors") then True else False?>' == 'True'?true:false;

Look at automating the addition of Icons to content for display within the Self Service Application using REST API or Dashboard or other methods.

Can get an Icon from the content's prefetch statement on windows using: https://github.com/jgstew/tools/blob/master/CSharp/ExtractAssociatedIcon.bat

ToDo:

• Test if SSA will display a .ico format image natively: data:image/x-icon;base64,
• Test if SSA will display an SVG format image (it doesn't, need to file RFE)
• Create Powershell script to convert file to Base64
• Test Relevance to convert file to Base64
• Figure out easiest way to convert .ico format to PNG (if above doesn't work)
• Get PNG file for SSA from MacOS ICNS file
• See if the mimefield image can be added from a fixlet description to the fixlet itself
• See if the mimefield image can be added on action taken to the action itself
• Create Console Dashboard to:
  • display current Icons
  • Add Icons
  • Replace Icons

Examples:

Console Dashboard for SSA Icons:

• https://github.com/jgstew/bigfix-content/blob/master/dashboards/IconsForSSA.ojo

PNG Image MIMEField:

<MIMEField>
    <Name>action-ui-metadata</Name>
    <Value>{"version":"66.208.49227","size":46641152,"icon":"data:image/png;base64,iVB....CC"}</Value>
</MIMEField>

Fixlet with SSA Icon:

https://github.com/jgstew/bigfix-content/blob/master/fixlet/Open%20Monitor%20Manual%20-%20PG279Q%20-%20Windows.bes

Client Relevance:

• base64 encode file: (base64 encodes it) of concatenations of lines of files "setup.exe.ico"
• fixlet name & icon: (values of headers "Subject" of it, ("<img alt='icon' height='64' src='" & it as string & "'>") of values of keys "icon" of jsons of values of headers "action-ui-metadata" of it) of fixlets of sites whose("Custom Site" = type of it)
• get Mac App Icon filename: (it & ".icns") of (preceding text of last ".icns" of it | it) of strings "CFBundleIconFile" of dictionaries of files "Contents/Info.plist" of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
• Get Mac App Icon pathname: (pathname of folders "Resources" of folders "Contents" of items 0 of it & "/" & item 1 of it) of (it, (it & ".icns") of (preceding text of last ".icns" of it | it) of strings "CFBundleIconFile" of dictionaries of files "Contents/Info.plist" of it) of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
• Get Mac App Name & Icon pathname: ( preceding texts of lasts ".app" of names of it, (pathname of folders "Resources" of folders "Contents" of items 0 of it & "/" & item 1 of it) of (it, (it & ".icns") of (preceding text of last ".icns" of it | it) of strings "CFBundleIconFile" of dictionaries of files "Contents/Info.plist" of it) of it) of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"
• (preceding texts of lasts ".png" of names of it, sizes of it) of files ending in ".png" of folders "/tmp/_BigFix/Icons"
• number of (concatenations of lines of it) of files ending in ".png" of folders "/tmp/_BigFix/Icons" of encodings "ISO-8859-1"
• get icon files in Mac .app bundle: files whose(name of it as lowercase ends with ".icns") of folders "Contents/Resources" of folders whose(name of it as lowercase ends with ".app") of folders "/Applications"

Session Relevance:

• number of fixlets with icons: number of mime fields "action-ui-metadata" of custom bes fixlets
• icon data from fixlets: values of keys "icon" of jsons of mime fields "action-ui-metadata" of custom bes fixlets
• icon HTML from fixlets: (links of it, ("<img alt='icon' height='64' src='" & it as string & "'>") of values of keys "icon" of jsons of mime fields "action-ui-metadata" of it) of custom bes fixlets
• get icons from analysis results: ("<img src='data:image/png;base64," & it & "'>") of unique values of (substrings separated by ";;" of concatenations of values of it) of results of bes properties "base64 of Icons"
• fixlets and tasks missing SSA Icons: (consider baselines too?) number of custom bes fixlets whose( (task flag of it OR fixlet flag of it) AND visible flag of it AND NOT exists mime fields "action-ui-metadata" of it AND exists default action of it)
  • there isn't session relevance to detect which are offers... need to file RFE for this
• ID Name of fixlets/tasks: (id of it as string & " " & name of it) of custom bes fixlets whose( (task flag of it OR fixlet flag of it) AND visible flag of it AND NOT exists mime fields "action-ui-metadata" of it AND exists default action of it)

Mac Icon File Info:

Get Magic Literal:

Q: concatenations of (characters it) of (bytes 0 of it; bytes 1 of it; bytes 2 of it; bytes 3 of it) of files "/Applications/App Store.app/Contents/Resources/AppIcon.icns"
A: icns

• https://en.wikipedia.org/wiki/Apple_Icon_Image_format
  • Primarily PNG or JPEG 2000 within the file
  • "MacOS offers the built-in iconutil command line tool to pack and unpack *.icns files."
• https://developer.apple.com/design/human-interface-guidelines/macos/icons-and-images/app-icon/
• https://github.com/sveinbjornt/osxiconutils
• https://github.com/jgstew/bigfix-content/blob/master/fixlet/Get%20PNG%20From%20ICNS%20File%20-%20MacOS.bes
• https://www.macworld.com/article/1060156/sipsicns.html

Related:

• https://forum.bigfix.com/t/self-service-app-manually-adding-meta-data/22538
• https://github.com/jgstew/tools/blob/master/CSharp/ExtractAssociatedIcon.bat
• https://css-tricks.com/lodge/svg/09-svg-data-uris/
• https://stackoverflow.com/questions/19369334/is-there-a-way-to-show-bitmap-data-in-html-image-tag
• https://www.aconvert.com/image/ico-to-png/
• https://stackoverflow.com/a/5679084/861745
• http://fa2png.io/r/icomoon-free/file-pdf/?color=007dff&margin=2&size=256
• Take ScreenShot - Windows: https://www.bigfix.me/fixlet/details/21898
• ScreenShot Analysis: https://www.bigfix.me/analysis/details/2998452
• View ScreenShot Dashboard: https://github.com/jgstew/bigfix-content/blob/master/dashboards/Screenshots.ojo
• Escape spaces in pathname: https://bigfix.me/relevance/details/3016285
• sveinbjornt/osxiconutils#5

Create bigfix content to monitor and automate the use of AWS Ephemeral Instance Storage for:

• MSSQL TempDB
• BigFix FillDB

Related:

• https://d1.awsstatic.com/whitepapers/best-practices-for-deploying-microsoft-sql-server-on-aws.pdf
• https://www.sqlservercentral.com/forums/topic/tempdb-on-amazon-ephemeral-drives
• https://www.ifm.net.nz/cookbooks/amazon-sql-tempdb/index.html

Goals:

• To automatically deploy bigfix as a part of the OSD Cloud process. (not rely solely on autopilot)
  • OSDeploy/OSDCloud#1
  • https://github.com/jgstew/tools/blob/master/powershell/install_bigfix.ps1
• To do OSCloud with no prompting
  • https://github.com/OSDeploy/OSDCloud/blob/main/Invoke-OSDCloudZTI.ps1
  • https://twitter.com/SuneThomsenDK/status/1380608006942031876?s=20
  • https://www.osdsune.com/home/blog/2021/osdcloud-zti-way
• To create a custom recovery partition with OSDCloud from ISO
  • https://win10.guru/create-a-custom-windows-10-factory-recovery-partition/
  • https://www.tenforums.com/tutorials/106215-factory-recovery-create-custom-recovery-partition.html
  • https://winbuzzer.com/2020/07/07/how-to-create-a-custom-updated-windows-10-recovery-partition-xcxwbt/

OSD Cloud uses the OSD power shell module:

• https://www.powershellgallery.com/packages/OSD
• https://github.com/OSDeploy/OSD

• https://bigfix.slack.com/archives/C03U4LJHU/p1571841268097200?thread_ts=1571783868.093600&cid=C03U4LJHU
• https://forum.bigfix.com/t/webex-chrome-extension-version/19957/14

Dell Command Update added checks to handle BitLocker being enabled when installing BIOS updates, but apparently if you generate BigFix content that installs Dell BIOS updates directly without going through Dell Command Update, then those BIOS updates will happily install with BitLocker enabled (not suspended) and put BitLocker into recovery mode. This is very bad.

Examples with the problem:

• https://bigfix.me/fixlet/details/3907 Generated with https://bigfix.me/fixlet/details/3905

Related:

• https://forum.bigfix.com/t/bios-updates-configuration-using-bigfix/24058
• https://github.com/strawgate/C3-Protect/blob/master/Analyses/Bitlocker%20-%20Audit%20-%20Windows.bes
• https://bigfix.me/fixlet/details/25505
• https://bigfix.me/relevance/details/3004824
• https://bigfix.me/analysis/details/2994763
• https://bigfix.me/analysis/details/2994743
• https://github.com/strawgate/C3-Inventory/blob/master/Analyses/TPM%20-%20Windows.bes
• https://github.com/strawgate/C3-Protect/blob/master/Fixlets/Invoke%20-%20Bitlocker%20Configuration%20Probe%20-%20Windows.bes
• https://www.bigfix.me/fixlet/details/23146?force=true

take an example system and create fixlets to configure browser settings based upon the current settings

generally make it easier to automatically configure browsers with bigfix.

https://twitter.com/panusaukko/status/1177829939950821376?s=21

autorunsc.exe -accepteula -a * -c -h -s -t -v -vt * >>"%TEMP%%COMPUTERNAME%-Autoruns4.csv"

Related:

• https://twitter.com/swiftonsecurity/status/946503303348785152?s=21
• https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns#autorunsc-usage
• Content for SigCheck: #9

Examples:

• https://github.com/CLCMacTeam/AutoPkgBESEngine/tree/master/Recipe%20Examples

Related:

• https://www.youtube.com/watch?v=w4WM6M89hmg
• https://forum.bigfix.com/t/automate-zoom-meetings-upgrade/34149/31?u=jgstew
• https://forum.bigfix.com/t/how-to-find-available-versions-without-scraping-html/34220/8?u=jgstew
• https://scriptingosx.com/2020/05/introducing-installomator/
• https://stackoverflow.com/questions/667017/how-to-check-if-a-file-has-a-digital-signature

https://helpx.adobe.com/creative-cloud/kb/cc-cleaner-tool-installation-problems.html