Versions Compared

Old Version 8

changes.mady.by.user Ryan Seymour

Saved on

compared with

New Version 9

changes.mady.by.user Ryan Seymour

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

V4 Troubleshooting FAQ Table of Contents

Table of Contents
minLevel1
maxLevel6
outlinefalse
styletypenonelist
typeseparatorlistpipe
printabletrue

...

Checking Logs and Default Installation Paths

  • Agent Logs - work in progress

  • Patch logs - work in progress

...

Remediated Vulnerabilities Still Showing in the Portal

  1. Make sure a recent scan has been completed

  2. Use the OSQUERY to determine application details

...

Info

NOTE: If both the old and new versions are present in the osqueryi output, follow these steps to clear the data. This issue could be caused by an incomplete removal of the application. If the installation location is still present, the information will be further analyzed and reported. Since there is no installed location or source path, only the uninstall string is available. This issue could be resolved by clearing the registry information.

How To: Search Registry for Uninstall Strings

...

Scan Issues

SNMP Scan Issues

Solution 1: For Version 1 and Version 2 

...

Replace <string> with the SNMP community string for SNMP v1 or v2, <targetip> with the IP address of the target device, <securityname> with the SNMPv3 username, <auth_protocol> with the authentication protocol (e.g., MD5 or SHA), <auth_password> with the authentication password, <priv_protocol> with the privacy protocol (e.g., AES or DES), and <priv_password> with the privacy password. 

...

Windows Asset Credential Scan Issues (SMB)

You can validate the credentials from the probe agent machine by following the below steps: 

...

for e.g. \\192.168.1.1\admin$ 

...

Active Directory AD Scan Issues

Ensure correct information is added, such as:

  1. The IP address in the DC name to avoid any DNS lookup issues

  2. FQDN in the domain name and the username without a domain or ".\" 

...

NMAP Scan Issues

If the nmap is not determining any assets, follow the below steps to troubleshoot:

...

.\nmap.exe --privileged -sV -T3 --min-parallelism 100 --max-parallelism 255 -script-timeout 1500000ms --top-ports 3000 -Pn --host-timeout 1900000ms --max-hostgroup 64 --min-hostgroup 30 --max-retries 2 --max-rtt-timeout 200000ms --exclude-ports 9100-9120,515,6101,631,59100,10001,9400,9500,9999,1058,721-731,1023,2000,2501,2503,3001,6869 --script auth,vuln,discovery,safe,ssl* 192.168.1.1/24 

...

Firewall Scan - Error Connecting to Server

If you encounter a firewall scan error when connecting to the server, it may be due to communication or a bad username and password. Please verify that the firewall is communicable from the Probe agent machine via SSH or API. 

...

AD Audit Scan Issues / Alerts Not Running

Run the script below 

ActiveDirectory_AuditEnable_GPO-Policy.zip 

Modify a user/computer/security group and verify if alerts are coming correctly. 

...

Validation for Mapped Credentials

Validation of Mapped credentials can be performed from the portal itself, and the same can be viewed in the cyberutilites.log located in the "C:\Program Files (x86)\CyberCNSAgent\logs

...

  1. Select the Validate Credential scan type and click on save 

...

Verify Windows Default Application Version Issue

Use the below command

Code Block
Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "appName"} 

Sample: Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "Microsoft.Microsoft3DViewer"} 

...

Enable SMB in Remote Host for Probe to Assess OS and Application Vulnerabilities

Run the below command on the reported host and initiate a scan.

...

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f 

...

Vulnerabilities for Browser Extension Program

To determine the issue with the browser extension, the below osqueryi can be executed 

...

Code Block
SELECT name, browser_type,version,path,sha1(name||path) as unique_id FROM chrome_extensions WHERE chrome_extensions.uid IN (SELECT uid FROM users) group by unique_id. 

...

V4 API General Information

V4 API Postman Collection

ConnectSecure API.postman_collection.json 

...

Prerequisites for General Scanning and Patching

Create an exception to ConnectSecure primary executables and dependencies in the agent installation folder.

...

  • connectsecurepatch.exe 

  • cybercnsagent.exe 

  • cybercnsagent_arm 

  • cybercnsagent_darwin 

  • cybercnsagent_linux 

  • cybercnsagentmonitor.exe 

  • cyberutilities.exe 

  • firewall_configs.zip 

  • main.ps1 

  • nmap.zip 

  • osqueryi.exe 

  • osqueryi_darwin 

  • osqueryi_arm 

  • osqueryi_linux 

  • scripts.zip 

  • vcruntime140.dll 

...

TLS 1.0 Vulnerability False Positive

  1. Open PowerShell as an administrator on the reported agent machine

  2. Navigate to the Agent NMAP folder
    cd C:\Program Files (x86)\CyberCNSAgent\nmap\

  3. Run the below NMAP command
    .\nmap.exe --script ssl-enum-ciphers -p 3389 <Target_IP>

Capture that output and share it with our engineering teams.

...

403 Error with Microsoft Entra ID CSP Integration

Please make sure that the user for granting consent to the application is part of the Admin Agent Security Group and has the Azure AD legacy MFA enabled.

...

Why Default Pre/Installed Patched Applications Still Showing

To verify the Windows default application version issue, the below command can be used:

...

Sample: Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like "Microsoft.Microsoft3DViewer"} 

...

Getting Password Alert/User Login Alerts with Bad Password Attempt

We do password brute force attempts with our nmap and the snmp scanning below shows the usernames that are used.

...

Info

NOTE: Any users other than the ones provided in the list above is outside the purview of ConnectSecure and are not detected or supported for alerting

...

Patched Assets Not Listed

For the Windows version related to "KB" security patch-related issues and queries? Run the below and share the output from the reported machine. 

  1. wmic qfe get HotfixID | findstr /v HotFixID 

  2. $UpdateSession = New-Object -ComObject "Microsoft.Update.Session"; $UpdateSearcher = $UpdateSession.CreateUpdateSearcher(); $Results = $UpdateSearcher.Search("IsInstalled=1"); $updates = ForEach($update in $Results.Updates) {"KB"+[String]$update.KBArticleIDs}; $updates 

  3. Also, please run the below queries in PowerShell as Administrator and share the output with us 
    -> Navigate to CyberCNSAgent folder 
    cd "C:\Program Files (x86)\CyberCNSAgent" 
    -> Run the below command 
    .\osqueryi.exe 

  4. select  CONCAT('KB',replace(split(split(title, 'KB',1),' ',0),')','')) as hotfix_id,description, datetime(date,'unixepoch') as install_date,'' as installed_by,'' as installed_on from windows_update_history where title like '%KB%' group by split(split(title, 'KB',1),' ',0); 

  5. select hotfix_id,description,installed_by,install_date,installed_on from patches group by hotfix_id; 

...

Active Directory Data Not Loading (OU, Users, Computers, GPO)

Please execute the below scripts and send the output for our team to debug:

...

Is Reboot Required?

Run the below script and verify the reboot status:

Validate_reboot_required.ps1 

...

Cyberutilities.log Errors When SMB Not Enabled

The error: "failed to connect to '192.1.0.1:445': [winerror 10060] a connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"}
2024-08-05 15:38:07,098 INFO smbClient execute_exec 665 SMB scan completed for 192.168.163.62 with status 0 output  err CyberCNS Agent 

Note: For the above error customer must enable the SMB protocol on the remote host 

...

Enable SMB Communication with PowerShell Commands

These commands will help set SMB to True and help successfully scan an asset.

...

  • reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

...

ConnectSecure V4 Agent Update Script

This script can help with basic troubleshooting when the agent is not showing online and will ensure the CyberCNSAgent.exe is validated and running the latest version.

...

Note

You must replace and update the 'x' with your Company and Tenant ID

image-20240502-155621.png

Checking Logs

...

Agent Logs - work in progress

...

...

Error Installing vc_dist.x86.exe

Install the "VC_redist.x86.exe" manually from the cybercns agent folder and verify by initiating the scan once. The file is in "C:\Program Files (x86)\CyberCNSAgent\nmap". 

...

Error Installing npcap.exe

Install the "npcap.exe" manually by downloading it using the link below and verify by initiating the scan once. 

https://npcap.com/dist/npcap-1.79.exe 

...

Error SMB Enabled but Username or Password Invalid

Port 445(SMB):- Error in validating AD Credentials:- response error: The attempted logon is invalid. This is either due to a bad username or authentication information. Port 636(LDAPS):- LDAP Result Code 200 "Network Error": read tcp 10.0.1.154:50974->10.0.1.153:636: wsarecv: An existing connection was forcibly closed by the remote host. Port 389(LDAP):- LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09050E, comment: AcceptSecurityContext error, data 52e, v4f7c 

...

Check Agent Offline Status

How To: Check Agent Offline Status

...

Patching Zoom Application System Restart/Reboot

To de-bug check Event Viewer logs in agent machine.

...

Credential Scan failing

Please use validate SMB process

...