Has anyone built a fixlet to find and replace the exe for Psexec with the patched release from a month or so ago?
Since Psexec seems to be almost anywhere on a system, i am not sure how to go about creating relevance that wont bury the system to find it, and then when i do how to perform the replacement in the original location
If there is something like this already outlined here or on the bigfix.me site, an example would be helpful
Thank you
In order to build an example, does your organization have standard path for Psexec? Building relevance that leverages descendants of a folder can be problematic and not advisable.
unfortunately there is no standard location, the environment I have is all server based and we run several off the shelf, vendor driven application environments.
I am able to see about 80 systems with it installed through Bigfix inventory, and the paths are everywhere from users home folders, application folders, on C or D drives, and standalone or part of the entire extracted pstools zip.
I am not 100% confident that inventory is reporting all of the instances.
If i assume it does and also assume i can take the overhead of a week or two with this task searching all locations, i dont know where to start to build the relevance to use the matched location in the action to support replacing the file where ever it was found.
Why don’t we start with the two paths with the highest commonality between these 80’ish managed endpoints. If you can post that info to this thread, we can workshop some example relevance content.
This is two examples that cover the various scenario:
Path 1:
C:\Support\myServiceTools\3rdPartyTools\Sysinternals
Path 2:
C:\Program Files (x86)\Lansweeper\Actions
The Executable to be found and replaced is
psexec.exe
psexec64.exe
I have SHA1 and SHA256 hashes, and also can leverage reported version to identify if the version on disk is currently patched or not … Patched version is 2.32
Example:
version of file “C:\Program Files (x86)\Lansweeper\Actions\psexec.exe” reports “2.11.0.0”
And an patched file reports version “2.32.0.0”
This need sounds very similar to the Solarwinds detections I published to BigFix.me.
Have a look at Method 2 from the thread at DHS Emergency Directive 21-01 - Sunburst - SolarWinds thread and I think you could adapt it to search & report on the two PSExec files.
You could also build a remediation based on reading the probe file to find all the paths where psexec was found and replacing them.