CyberCNS Global Deployment V4 Agent

Morning,

I’m not sure how many use CyberCNS who are aware of their recent change from V3 to V4, but it seems like the PowerShell variables for the lightweight agent install script have changed and some of the parameters required from the V3 script in the Global Deployment seem to be missing from the V4 install script. I’m unsure if this is going to require the Global Software deployment to be updated, but for example the Client Secret is missing from the V4 script when it’s required for the ImmyBot deployment and listed in V3. In the replies I’ll attach example scripts from test companies to showcase the differences.

V3:

V4:

Jumping on this to hopefully increase visibility. We will certainly need the ConnectSecure v4 deployment package as well going forward.

Same for us as well.

I’m working on this.
When you create the download link for the agent through ConnectSecure, it will expire in 24 hours.

I couldn’t find the API endpoint in the ConnectSecure documentation for generating the download link. However, by scraping it, I managed to find the endpoint.
In case you need it, here is the endpoint:
https://configuration.myconnectsecure.com/api/v4/configuration/agentlink?ostype=windows

Installation: Connect Secure Setup Install Script

# $ArgumentList = @(
#     "-c $CompanyID",
#     "-a $ClientID",
#     "-i $InstallationType"
# )


$Arguments = "-c $CompanyID -e $ClientID -i $InstallationType"

$Process = Start-Process -Wait $InstallerFile -ArgumentList $Arguments -Passthru
Write-Host "ExitCode: $($Process.ExitCode)"

Uninstallation: Connect Secure Uninstallation Script

cd "C:\PROGRA~2"
sc stop ConnectSecureAgentMonitor
timeout /T 5 > nul
sc delete ConnectSecureAgentMonitor
timeout /T 5 > nul
sc stop CyberCNSAgent
timeout /T 5 > nul
sc delete CyberCNSAgent
ping 127.0.0.1 -n 6 > nul
taskkill /IM osqueryi.exe /F
taskkill /IM nmap.exe /F
taskkill /IM cyberutilities.exe /F
taskkill /IM cybercnsagent.exe /F
CyberCNSAgent\cybercnsagent.exe --internalAssetArgument uninstallservice
rmdir CyberCNSAgent /s /q

Configuration Task : Connect Secure Configuration Task

param(
[Parameter(Position=0,Mandatory=$True,HelpMessage=@'
 -c, --companyId string              CompanyID
'@)]
[String]$CompanyID,
[Parameter(Position=1,Mandatory=$True,HelpMessage=@'
 -e, --tenantId string                TenantID
'@)]
[String]$ClientID,
[Parameter(Position=2,Mandatory=$False,HelpMessage=@'
-i, --installAgent                   Install Agent
      --internalAssetArgument string   For Agent Internal Usage
'@)]
[ValidateSet('Probe','Lightweight')]
[String]$InstallationType='Lightweight'
)

Dynamic Versions: ConnectSecure Agent Dynamic Versions

Get-DynamicVersionsFromUrl `
    -URL 'https://configuration.myconnectsecure.com/api/v4/configuration/agentlink?ostype=windows' `
    -VersionsURLPattern '(?<Uri>https://.*.cloudflarestorage.com/connectsecure-use/agents/(?<Version>[\d\.]+)/windows/(?<FileName>cybercnsagent.exe)[^""]*)'

@Anthony_Birone has been working with an Immy partner who has access to CyberCNS poking at it as ideally we would be making a new software and obtain the CompanyID ClientID etc from the API which would then be able to be used as a cross tenant deployment, however it appears CyberCNS isn’t allowing this with their new portal yet…

@RodrigoM did you do anything different with version detection or did the regex for the existing global software match with their new version?
Do you know if this would require an uninstall/install to update or does installing over the existing old agent with the new one work?

Hi @Gav
Yes, I made a new way to find out the version using Regex for the latest update, and I can confirm that it now correctly identifies the newest version from the URL link.
Currently, I’m developing a download script that will identify the latest version from the API and then download it for the deployment process.

@Gav This week was my first experience with ConnectSecure, so I don’t have any information about the previous version. I’m confident that the following command will remove ConnectSecureV4:

cd "C:\PROGRA~2"
sc stop ConnectSecureAgentMonitor
timeout /T 5 > nul
sc delete ConnectSecureAgentMonitor
timeout /T 5 > nul
sc stop CyberCNSAgent
timeout /T 5 > nul
sc delete CyberCNSAgent
ping 127.0.0.1 -n 6 > nul
taskkill /IM osqueryi.exe /F
taskkill /IM nmap.exe /F
taskkill /IM cyberutilities.exe /F
taskkill /IM cybercnsagent.exe /F
CyberCNSAgent\cybercnsagent.exe -r
rmdir CyberCNSAgent /s /q

Thanks for sharing your findings @RodrigoM!

Apologies, I was trying to confirm how you were doing version detection for if the software was installed like this:

Does the new agent match the same way for detection here or did you do something different? (I’ve not seen any new agent installed yet myself to know how it displays in add/remove programs.)

I’m not familiar with CyberCNS. I got assigned a task to set up an agent for ConnectSecureV4. Here’s what I did:

For dynamic versions (to download and use the latest version for deployment):

Get-DynamicVersionsFromUrl `
    -URL 'https://configuration.myconnectsecure.com/api/v4/configuration/agentlink?ostype=windows' `
    -VersionsURLPattern '(?<Uri>https://.*.cloudflarestorage.com/connectsecure-use/agents/(?<Version>[\d\.]+)/windows/(?<FileName>cybercnsagent.exe)[^""]*)'```

Another Immy partner asked us to build a dynamic integration with CyberCNS V4. We attempted to do so but were told by CyberCNS that the V4 API was not ready for production. They informed us that they were not allowing anyone to create V4 API keys.

I believe you can continue using the V3 deployment, as the agent is supposed to upgrade to V4.

V4 API has now been released

V4 MSI is working

Installation Script

$Arguments = @"
/c msiexec /i "$InstallerFile" /qn /norestart /l*v "$InstallerLogFile" WRAPPED_ARGUMENTS="-c $CompanyID -e $ClientID -i"
"@
Write-Host "Running: $Arguments"
$Process = Start-Process -Wait cmd -ArgumentList $Arguments -Passthru
Write-Host "ExitCode: $($Process.ExitCode)"

if ($Process.ExitCode -ne 0) {
    Get-Content $InstallerLogFile -ErrorAction SilentlyContinue
}