Created on 10-13-2016 06:21 AM Edited on 06-02-2022 09:41 AM By Anonymous
Description
This article will explain how to create automated windows scripts for AO
Accelops Side:
Verify Permissions and Access:
1 - Log onto AO through SSH using root user
2 - Run the following command: winexe -U domain/user%password //server_ip "cmd.exe"
Case Sucessful:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Then move onto the next step in implementing the script that's attached to this ticket
Case Failure:
ERROR: Failed to install service winexesvc - NT code 0x00000424
Then follow the "Additional Information" Section below the KB before moving forward
Implementing the script:
1 - Copy the attached restartWinService.py, this script will read, parse out target IP and stop services and issue a winexe command to restart the service
2 - Modify the script with your username and password in order for the script to restart whichever service it needs to kick off.
3 - Place the python script under /tmp/ of your AO supervisor
4 - Once this is done you can go to the UI: Analytics > Incident Notification Policy
5 - Create a new Incident Notification Policy
6 - Select the "Edit" dialogue box towards the bottom of the pop up
7 - Under where it states "Run Script" Click on add
8 - Since your script is under /tmp/ please use this format /tmp/myscript_name_here.py
9 - Once this is done, save your configuration.
10 - Create an authentication file under /tmp/ (To create the authentication file, please reference Additional Information)
Now each time an incident fires for a windows service, it will automatically restart that service.
1 - Create a script named installWinexesvc.bat and copy the following into it:
sc create winexesvc binPath= C:\WINDOWS\WINEXESVC.EXE start= auto DisplayName= winexesvc
sc description winexesvc "Remote command provider for AccelOps monitoring"
sc start winexesvc
2 - Run installWinexesvc.bat on the Windows Server you are monitoring and make sure that the service has started
(The following is output by the script)
C:\>sc create WinexeSvc binPath= C:\WINDOWS\WINEXESVC.EXE start= auto DisplayName= WinexeSvc
[SC] CreateService SUCCESS
C:\>sc description WinexeSvc "Remote command provider for AccelOps monitoring"
[SC] ChangeServiceConfig2 SUCCESS
C:\>sc start WinexeSvc
SERVICE_NAME: AoWinexeSvc
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1580
FLAGS :
If you receive the following error:
ERROR: Failed to install service winexesvc - NT code 0x00000424
Option 1 - Without making changes to AO
(Use Option 2 first)
You may have to add a couple of dword(32) attributes to the registry to make this work.
In your windows server open your registry:
After the remote windows server comes back, please test by running the command from AO again:
winexe -U <DOMAIN>/<USER>%<PASSWORD> //<IP> "cmd.exe"
If the windows server allows for the connection, you should see something similar to:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Option 2 - ERROR: Failed to install service winexesvc - NT code 0x00000424
You may have installed the service on windows incorrectly
1 - Run this script 1st on your windows machine
sc create winexesvc binPath= C:\WINDOWS\WINEXESVC.EXE start= auto DisplayName= winexesvc
sc description winexesvc "Remote command provider for AccelOps monitoring"
sc start winexesvc
NOTE: if there's an error restarting the service on the last line, do not worry, please ignore it for now
2 - In AO, please run the following command:
winexe --user XXXXXXXXXXXXX --password XXXXXXXXXXX //<IP_OF_WINDOWS> 'cmd.exe'
NOTE: If the above command has special characters (eg !@#$%^&*()-_) you can run this in another fashion, just in case the CLI fails
winexe -A /tmp/authenticationfile //<IP_OF_WINDOWS> 'cmd.exe'
3 - How to create your authentication file
cd /tmp/
touch authenticationfile
chown admin.admin authenticationfile
chmod 775 authenticationfile
vi authenticationfile
In the file:
domain=xxxxxxxxxxxx
username=xxxxxxxxxxxxx
password=xxxxxxxxxxxx
After you save this, run the second winexe command again and it will install winexesvc.exe into your windows environment
You will notice a new directory in /tmp/ called /tmp/restart_log
This is a new log that has been created in order to keep track of the restarts when AO restarts these services.
All
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.