The Cyber Hawk Level 1 scan process consists of 2 types of scans.
- Network Scan
- Local Scan (Push)
The first step in ensuring all the prerequisites have been met is to identify the type of network being assessed. Is it an Active Directory Domain or is it Workgroup environment? Secondly, we need to determine whether or not the customer employs some type of Antivirus. Below are a list of prerequisites that should be met once these questions have been answered.
Network Scan prerequisites for a Domain Environment.
Ensure the following Windows protocols are allowed to be accessed on each machine joined to the domain.
- WMI - Accounts for 95% of the data collected by the data collectors. The following article provides step by step instructions on how to create a GPO that allows access to WMI through the local Windows Firewall on machines joined to the Domain - https://support.rapidfiretools.com/hc/en-us/articles/360007604538-Configure-GPO-to-Allow-WMI-access-to-all-workstations-in-a-Domain-Environment
- Remote Registry - Used to query the Windows registry remotely on each machine joined to the network. The following KB article provides step by step instructions on how to set the Remote Registry service to start automatically - https://support.rapidfiretools.com/hc/en-us/articles/360007560757-Configuring-GPO-to-set-Remote-Registry-Service-to-Automatic
- ICMP - Is used to identify active endpoints on the network during the Network Scan. The data collector basically pings every machine in the IP range specified in the Cyber Hawk's scan settings in order to determine whether there is an active endpoint on an IP prior to scanning it.
- SNMP - Is used to scan network devices (ie Routers, Switches, printers, etc).
Local Scan prerequisites for a Domain Environment
It is good to know how the automated local scan process works in order to understand how the prerequisites are used.
During the Local Scan Push process the Cyber Hawk will attempt to create a folder called NetworkDetecitive-NDA1-XXXX in the Admin$ share of each machine, where XXXX represents the appliance ID. Once the directory has been created it will copy over a self-extracting executable called NetworkDetectiveDatacollectorBins.exe. Next, It will proceed to launch the executable which will extract all of the Cyber Hawk data collector executables into that folder.
Once the data collectors have been extracted it will launch the data collector executable to perform the scan. When the scan completes it will copy the scan file back to the Cyber Hawk server. After all the local scans have completed, the Cyber Hawk will merge the local scan data into the Network Scan database and save it to it's repository where it can then be processed by the alerting engine.
- WMI - Is used to launch the data collectors on the remote machines
- Admin$ (C:\Windows) - Is the location on the remote machines where the Cyber Hawk will create it's working directory \NDA1-XXXX where XXXX is the appliance ID.
Note: This is a temporary folder. Once the local scan completes the directory is removed leaving no footprints.
- .net - Framework used by the data collectors. The local scan data collector cannot run if .net 3.5 or later is not enabled.
- Local Account Token Filter Policy - By default, remote administrative tasks can only be performed on Workgroup machines by the Built-in Administrator. In order to allow any Local Admin to perform remote administrative tasks the following command must be run from an elevated command prompt on each machine.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
NOTE: The prerequisites noted above affect Windows settings ONLY. They do not take Antivirus into consideration therefore they may be a case where the following exceptions may need to be added to the AV solution employed by the client.
Whitelisting Cyber Hawk executables in Antivirus programs.
Some Antivirus programs require the executable name, executable path or both in order to whitelist executables. Below is a list of the executables used by the Cyber Hawk as well as the path that needs to be whitelisted on each machine prior to scan being performed.
Executables used by the Cyber Hawk:
Path to executables
C:\Windows\NetworkDetective-NDA1-XXXX where XXXX is the appliance ID associated with that site in the Cyber Hawk portal and/or the Network Detective application.