Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


Tool Update: Auto-OSSEC + MSI Builder

Let’s focus on that last one for a moment. One facet of securing your infrastructure is detecting intrusion. And one of the many tools that can be used to do this is OSSEC. OSSEC is a host intrusion-detection system that leverages agents deployed to workstations and servers. After installing an agent, it is pointed to the IP Address of an OSSEC Server. The OSSEC Server is then used to generate a key for the agent, which can be copied and pasted into the configuration dialog of the agent. However, in a multi-agent deployment, this can be quite a tedious process.

That prompted Dave Kennedy to craft a solution, and his solution is auto-ossec. Using auto-ossec is simple. It consists of a server-side Python script that can be ran as a daemon on a unix based system. And a client-side Python script (or premade exe) which is executed, passing in the IP Address of the server, which will register the agent, request an authentication key, and save the key to the agent’s configuration.

However, this was still a process that had to be done on individually for every host the agent was installed on. Now we have provided another possibility. By using GPO to deploy an MSI file, agents can be registered via auto-ossec across an entire Windows Domain (or any subset therein).

Two files have been added to the GitHub Repository for auto-ossec. First is a wxs file. This is a WiX Toolset Source File that includes definitions for building an MSI. Second is a Microsoft PowerShell script called Create-MsiForAutoOSSEC. When run, the PowerShell script will request the OSSEC Server’s IP Address, which it will then use to build an MSI. The MSI can then be deployed via GPO across a Windows Domain. Executing the MSI will execute the pre-compiled exe version of auto-ossec, providing the OSSEC Server’s IP Address. After a successful registration, the same process can be used to uninstall the MSI, removing the auto-ossec exe from the system.

Auto-OSSEC was written by Dave Kennedy – Founder and CTO at BDS.
MSI Builder functionality was added by Charles L. Yost – Security Developer at BDS.