Now that you've prepared the HUNT Server, the next step is to prepare the network environment, by whitelisting the HUNT Survey files, and configuring Active Directory.
Whitelisting the HUNT Survey
During a scan, Infocyte HUNT deploys dissolvable agents (Surveys) to network endpoints. Existing security software may flag these files as malicious, which can cause the survey to fail.
There are several binaries that should be whitelisted for execution by other security tools.
Click here to download a CSV of the relevant binary hashes.
The following paths are used by Infocyte during a scan. If you need to exclude by path or filename, please note the following:
Windows
c:\windows\temp\survey.exe
c:\windows\temp\s1.exe
c:\windows\temp\infocyte*.vbs
Note: if * notation is not supported, add the following 10 entries:
c:\windows\temp\infocyte.vbs
c:\windows\temp\infocyte1.vbs
c:\windows\temp\infocyte2.vbs
c:\windows\temp\infocyte3.vbs
c:\windows\temp\infocyte4.vbs
c:\windows\temp\infocyte5.vbs
c:\windows\temp\infocyte6.vbs
c:\windows\temp\infocyte7.vbs
c:\windows\temp\infocyte8.vbs
c:\windows\temp\infocyte9.vbs
Linux
/tmp/survey.bin
/opt/infocyte/surveys/s1.linux.sh
Configuring Microsoft Active Directory
Infocyte requires adequate Microsoft Active Directory domain credentials to properly perform its authenticated scans. The following steps outline how to properly setup security groups and Group Policy Objects for Infocyte. These processes only apply to domains with Windows Server 2012, 2012 R2, 2016 domain controllers. The following procedures should be performed on the server that administers all domain Group Policies.
Step 1: Creating Windows Security Group
Create a windows security group called “Infocyte Scan Group”
- Login to domain controller for target domain
- Open “Active Directory Users and Computers”
- Click Menu > Action > New > Group
- Name the group “Infocyte Scan Group” and ensure the “Global” and “Security” options are selected
- Create a new user for Infocyte scanning operations and place them within the “Infocyte Scan Group” security group.
Step 2: Create Group Policy Object
Create a Windows Group Policy Object (GPO) called “Infocyte Scan GPO”
- Open “Group Policy Management Console”
- Right-click on Group Policy Objects and select New
- Name the policy “Infocyte Scan GPO”
Step 3: Set policy to add “Infocyte Scan Group” group as Administrators
Now we need to add the newly created security group “Infocyte Scan Group” to the “Infocyte Scan GPO” and allow them proper permissions
- Right-click on “Infocyte Scan GPO” and select Edit
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
- In the left pane in Restricted Groups, right-click and select Add Group
- In the dialog box, select Browse and type “Infocyte Scan Group” and click Check Names
- Click OK twice
- Click Add under the “This group is a member of:” label
- Add the “Administrators” group
- Click OK twice
_Note: Windows XP and 2003 Server systems require GPO Client Side Extensions before they can install and enforce Windows 2012+ domains. Ensure these are installed prior to GPO application.
Step 4: Set Infocyte access to network hosts
Infocyte will require access to the destination hosts for scanning operations. To facilitate this, we add the “Infocyte Scan Group” to the Access this computer from the network GPO
- Right-click on “Infocyte Scan GPO” and select Edit
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments
- Right-click on Access this computer from the network and click Properties
- Ensure the check-box Define these policy settings is checked
- Click Add User or Group
- Click Browse and enter “Infocyte Scan Group” into the text box
- Click Check Names
- Click OK
- Click OK
Step 5: Firewall configuration (Windows Vista+) via GPO
Infocyte requires the use of the Server Message Block (SMB) and Windows Management Instrumentation (WMI) protocols to scan a target network. Firewall rules will need to be set in the “Infocyte Scan GPO” to allow proper communication
- Right-click on “Infocyte Scan GPO” and select Edit
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules
- Right-click in the right pane and choose New Rule…
- Choose Predefined and select “File and Printer Sharing”
- Make sure that all rules are check-marked
- Click Next
- Click Finish
- Right-click in the right pane and choose New Rule…
- Choose Predefined and select “Windows Management Instrumentation (WMI)”
- Make sure that all rules are check-marked
- Click Next
- Click Finish
- Recommended step: an abundant amount of information about a target system can be gleaned using WMI. We recommend that an administrator modify firewall rules for WMI to restrict only specific IP addresses or specific security groups / users to use this protocol.
Step 6: Firewall configuration (Windows XP and 2003) via GPO
Systems running Windows XP and 2003 are unable to implement firewall policies that apply to Windows Vista and higher. The following GPO will enable proper communication for Infocyte scanning operations
- Right-click on “Infocyte Scan GPO” and select Edit
- Expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
- Right-click on “Windows Firewall: Allow inbound file and printer sharing exceptions” and click Edit
- Click Enable
- Click OK
- Right-click on “Windows Firewall: Allow inbound remote administration exception” and click Edit
- Click Enable
- Click OK
- Recommended step: most environments have a mix of different Windows operating systems. We recommend that this step be added to your GPO for backward compatibility and to ensure that ALL systems are accessible to Infocyte.
Step 7: GPO Linking
Once the GPO is created, the GPO must be enabled and linked to a specific domain
- In “Group Policy Management Console,” right-click on the target domain or organizational unit (OU) and select Existing GPO
- Select “Infocyte Scan GPO”
Step 8: Set HUNT Server “Log on as service” local policy
Finally, if the HUNT Server is joined to the domain, we will need to configure a local policy to allow this Security Group to install and “Log on as a service.” The following procedures will need to be performed on the HUNT Server.
- Open “Local Security Policy” manager
- Expand Security Setting > Local Policies > Users Right Assignment
- Right-click on “Log on as a service” and click Properties
- Click Add User or Group
- Click Browse and enter “Infocyte Scan Group” into the text box
- Click Check Names
- Click OK
- Click OK
- Click Add User or Group
Next Steps:
Now that you've prepared your network for Infocyte HUNT, the next step is Installing Infocyte HUNT.
Comments
0 comments
Please sign in to leave a comment.