Kaseya Community

FireEye Detection

This question has suggested answer(s)

Is anyone else working on a script for FireEye detection with the recent solarwinds mess?  I've been trying to get a Kaseya script working that uses the scanner from Datto https://github.com/datto/fireeye-red-team-countermeasure-scanner without much success.  If I run the powershell script manually, it executes exactly as expected.  If I try to call it from Kaseya, either by command line powershell "c:\kworking\build23.ps1", or executepowershell64bit as system calling the same script, it errors out saying VisualC++ isn't installed (which it is, as the script runs fine manually).

All Replies
  • On one of the issue threads @ github it says

    "I have found this error when I dont run Powershell as admin and did not change to the directory before hand. Change your directory to where the script is located when in Powershell as admin and then execute the script."

    So maybe if you add to the begging of the build23.ps1 file?

    Set-Location c:\kworking

  • That's a good option to get some visibilitiy.

    Well, we've been struggling with that as well. It seems the PowerShell commands Kaseya runs like to use different time-out values for the commands it runs. Sometimes making it very difficult to replicate results you get from running the same thing on a command line.

    That's one reason we recently saw, but can't actually remember running into this before.

  • It may also matter to run as Admin instead of as NT Authority/ System.

    Do this be Executing PS as User, but Precede the ExecutePS cmd with "Impersonate User or User Credentials"... and bind or "Set Credentials" Under Agent>Manage Agent grid...