cancel
Showing results for 
Search instead for 
Did you mean: 

AR Reaction: More ideas

On this page, we'll document additional ideas for AR Reactions you might find useful or interesting to implement in your environment.  If you have not yet experimented with Reactions, you might choose to start with a couple of fully-documented examples, such as the ones below:

 AR Reaction: Delete File

 AR Reaction: Kill Process 

While Active Response supports several different scripting methods and operating systems, for sake of simplicity this discussion will center on Windows Reactions, executed as OS commands.

If you have additional ideas, thoughts, or questions, please share in the comments.

Reaction Idea: McAfee Agent Wakeup

 

A McAfee Agent Wakeup causes a managed endpoint to connect to its closest ePO Agent Handler, and to download any updated policies, client tasks, and upload any pending events and system properties.  Under normal circumstances a McAfee Agent Wakeup requires a connection from the ePO Agent Handler directly to the managed endpoint.  This can be problematic for systems that are roaming out in the world, as they may not be reachable.  In these cases, it may be hours before a system phones home on its own.  This time lag can be critical when in the middle of an incident response.

Because Active Response clients maintain a persistent connection via the DXL, it's possible to send the agent a wakeup command in real time via a Reaction (executed either manually or via an AR Trigger).  Note that DXL wakeup is handled automatically by ePO 5.3 and above.

 

Arguments

No arguments are required for an Agent Wakeup.

Content

Use the following OS Commands to trigger the McAfee Agent to check for new policies (-c), upload any pending local events (-f), and to collect and send system properties to ePO (-p):

     "C:\Program Files\McAfee\Agent\cmdagent.exe" -c

     "C:\Program Files\McAfee\Agent\cmdagent.exe" -f

     "C:\Program Files\McAfee\Agent\cmdagent.exe" -p

Reaction Idea: Copy a file to an external repository

When investigating an incident, it may be necessary to obtain a copy of a suspicious file for offline analysis.  This analysis might be performed via a sandbox technology such as McAfee ATD, or via manual techniques. Regardless, obtaining a sample of a file can be very difficult, especially if the file exists for only short periods of time.  With Active Response Reactions and a properly designed Trigger, it's possible to continuously search for suspect files, and grab copies in real time.

Arguments

This Reaction, at a minimum, requires the full name and path of the file to copy.

You may also choose to implement this in a more generic way by providing the path to the file share as an argument as well.  This would allow you to use a single AR Reaction for multiple different purposes.

Content

The specific content for this reaction depends on where you would like to receive the copy of the suspicious file.  For example, to copy to a Windows file share, use the following OS Command:

 

     copy "{{filename}}" \\myfileserver\sample_share\

 

Where {{filename}} is passed as an argument, and \\myfileserver\sample_share refers to your preferred file share.

Alternately you might choose to use FTP or some other tool to push the file to an external repository

Shutdown or Reboot System

Shutting down a potentially compromised system may be a useful last resort in containing a breach.  Rebooting may be necessary in order to clear out remnants of specific malware infections or other uninstalled software

Arguments

No arguments are required for an Shutdown or Reboot

Content

To forcibly shut down a Windows computer:

 

     shutdown /s /f

 

To forcibly restart a Windows computer:

 

     shutdown /r /f

 

Uninstall Software

In many cases you may find instances of installed software that is mot permitted by your enterprise policies.  An AR Response can be used to invoke the uninstall command to get rid of unwanted software.

Arguments

This Reaction will need to take in the uninstall command that will need to execute.

Content

The content of this Reaction is very simple in its most basic form.  We simply need to execute the uninstall string that has been passed in, as an OS command.

 

     "{{uninstallstring}}"

 

Uninstall strings can easily be seen by using the InstalledSoftware collector.  Note that we use quote marks here to ensure that the Windows command shell properly interprets any embedded spaces in paths.

Note that this is a very powerful, but also potentially very dangerous Reaction to implement in this manner in a production environment.  As-written, it would allow any arbitrary OS command to be run.  In practice, this should most likely be implemented as a script with some basic error and permissions checking to ensure that only authorized commands are allowed to run.

Stop/Start a Windows Service

Stopping or Restarting a service on a host can be a useful tool in circumstances when critical Windows services may have been comrpromised..

Arguments

Each of these Reactions will require the name of the Windows service to be passed in as an argument

Content

To stop a Windows Service

 

     net stop {{servicename}}

 

To start a Windows Service

 

     net start {{servicename}}

Other Reaction Ideas

  • Modify the Windows Registry.  Microsoft provides the reg.exe command to allow modification of the registry from the command line.  For details on the syntax for reg.exe, please see Microsoft Technet.
  • Restore a compromised file (e.g. hosts) to a known good state.  If a critical system file such as the local hosts name resolver is found to be corrupt or otherwise compromised, an AR Reaction can delete the bad file and replace it with a known good copy from an external repository.
  • Network isolation: Various tools can be used to achieve network isolation.  The simplest method may be to leverage McAfee Host Intrusion Prevention or other local firewall to put in place a restrictive firewall rule set to prevent all unauthorized network activity.
  • Clear browser cache and cookies:  The following command will clear out browser cookies with Internet Explorer: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
  • Delete backdoor account: net user {{username}} /del
  • Set custom McAfee Agent custom properties.  McAfee Agent custom properties can allow you to define/assign up 4 custom properties to your endpoints.  This, in turn, can be used by ePO to sort systems into various System Tree groups, assign ePO tags, policies, and tasks, etc. You can use the "maconfig" tool to set the local properties, which will then be sychronized to ePO the next time the agent send full properties.  The command to set McAfee Agent custom properties is: "C:\Program Files\McAfee\Agent\maconfig.exe" -custom -prop1 "{{propvalue}}"  where "prop1" represents which custom property you'd like to set (1-4) and {{propvalue}} represents an argument passed in to your Reaction.
Labels (1)
Tags (1)
Comments

Disable backdoor user account:

OS command: Net user {{username}} /active:no

WMIC command: wmic useraccount where name='{{username}}' set disabled=true

I think a HUGELY underestimated bullet is the "Set customer McAfee Agent custom properties" response.

  1. A trigger can be created to look for an application executable. (i.e. name equals "putty.exe")
  2. A response can be performed to modify Custom Property 1-4 with a "#Putty" value.
  3. A tag criteria can be created within ePO to look for this value and automatically apply a tag.
  4. An assignment rule can be created to assign a policy/task to systems with the specific tag.

This can allow administrators to automatically apply custom policies to systems based on applications that are active. Especially for server environments (i.e. Exchange, SQL, Citrix, etc.)

how is possible to install msi file through reaction,

i tried to write 

msiexec /i "location file in nas" but its not working ! with the debug im getting this error : Error running cmd: T h i s   i n s t a l l a t i o n   p a c k a g e   c o u l d   n o t   b e   o p e n e d .     V e r i f y   t h a t   t h e   p a c k a g e   e x i s t s   a n d   t h a t   y o u   c a n   a c c e s s   i t ,   o r   c o n t a c t   t h e   a p p l i c a t i o n   v e n d o r   t o   v e r i f y   t h a t   t h i s   i s   a   v a l i d   W i n d o w s   I n s t a l l e r   p a c k a g e . 

 

Contributors
Version history
Revision #:
3 of 3
Last update:
‎02-22-2018 11:56 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community