Remotely installing MMA Agent for Sentinel

So, there was a mission to install the (Microsoft Monitoring Agent) MMA agent on lots of servers and configure them for Sentinel service, so here the mission goes like this, you mission might be different, however I required the MMA agent and a proxy string to set those servers to use a log collector, outlined like this:

  1. Install MMA agent linked to workspace ID and workspace key
  2. Configure the MMA agent to use a proxy (in this instance that proxy was the Sentinel collector servers)
MMA Agent Share and Path

Right so first we need the MMA setup files which will be hosted a server that uses an SMB share, in this instance the file is called "MMASetup-AMD64.exe"

Once you have the file location for this executable you will make a note of the file path which for this example is, and ignore the name, but what a wicked name for threat actors there, almost like opening the door to some ass kicking there πŸ˜‰

Note : Remember if you have a space in your file path you will need to enclose it in "quotes"

MMA Agent Share : \\smb-shares.bear.local\MMA$
MMA Agent Share Path : \\smb-shares.bear.local\MMA$\MMASetup-AMD64.exe

How to : If MMA is not installed at the moment (if installed already see below)

Right, now the desire to visit all the servers in the domain and manually install an agent, then set a proxy string was not really very motivating, so lets get some "psexec" magic done here and we will cover the "PowerShell" magic later on, however psexec in this instance has some magical switches over PowerShell.

MMA Agent Settings

These values are generated by a random hex-generator so they are not actual values for a real workspace in Azure, you can generate you own Hex values here

Workspace ID: ce6541b6-31b9-0319-a4c4-ac28b7b71fee
Workspace Key: n#}!}Z#QLi.U}H5CDC+MwCPgomP6m_i.TVW,Utq)?pWpDebLJ%U

You will need these settings for the next bit.....

Remotely install MMA

This command will copy the file to the target server, then run that file automatically for you with the "unattended" values and run it with low CPU usage:

psexec.exe -c -h -low \\<target_server> \\<smb-share-path> /Q:A /R:N /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=<workspace_ID> OPINSIGHTS_WORKSPACE_KEY=<workspace-key> AcceptEndUserLicenseAgreement=1"

All the stuff you need to change is in BOLD its a case of adding the value you have already got before, so that command looks like this:

psexec.exe -c -h -low \\mmatest.bears.local \\smb-shares.bear.local\MMA$\MMASetup-AMD64.exe /Q:A /R:N /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=ce6541b6-31b9-0319-a4c4-ac28b7b71fee OPINSIGHTS_WORKSPACE_KEY=n#}!}Z#QLi.U}H5CDC+MwCPgomP6m_i.TVW,Utq)?pWpDebLJ%U AcceptEndUserLicenseAgreement=1"

How to : If MMA or OMS is installed at the moment

If MMA or OMS is installed already then you need to update the configuration to complete this use the code below, update the values in bold to match your environment:

[CmdletBinding()]
param (
    [string]$RemoteServer="OMSAgent"
    )
[string]$LocalFile = "<MMA Agent EXE/MSI location>"
[string]$WorkspaceId = "<workspace-id>"
[string]$WorkspaceKey = "<worksapce-key>"

#Create a PSSession to the RemoteServer
$Session = New-PSSession -ComputerName $RemoteServer

#Check for the existence of C:\Windows\temp\MMASetup first and if it doesn't exist then create it
$Path = Test-Path -Path "\\$RemoteServer\c$\windows\temp\mmasetup"
    if ( $Path -eq $false ) { Invoke-Command -Session $Session -ScriptBlock { New-Item -ItemType Directory -Path c:\Windows\temp\mmasetup } }

#Copy the OMS agent ( momagent.msi ) from where we are executing the script to the target server
[string]$LocalFile = "C:\Temp\momagent.exe"
Copy-Item -Path $LocalFile -Destination "\\$RemoteServer\c$\windows\temp\MMASetup\momagent.exe"

#Install the Microsoft Monitoring Agent on the target server
$ScriptBlockContent =
    {
    Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i","c:\windows\temp\mmasetup\momagent.exe","/qn","/l*v",
    "C:\windows\temp\mmasetup\MMAAgentInstall.log","NOAPM=1","AcceptEndUserLicenseAgreement=1" -Wait -NoNewWindow
    }
Invoke-Command -Session $Session -ScriptBlock $ScriptBlockContent
Start-Sleep -Seconds 60

#Configure the Microsoft Monitoring Agent with the Log Analytics workspace information
Invoke-Command -Session $Session -ScriptBlock {    
    $Mma = New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg'
    $AddWorkspace = $Mma.AddCloudWorkspace($Using:WorkspaceId, $Using:WorkspaceKey)
    $AddWorkspace
    $ReloadConfig = $Mma.ReloadConfiguration()
    $ReloadConfig
    }
To run this, navigate to folder the script file is in and run:

./MMA.ps1 -RemoteServer <server name>

Remote set "proxy" string

This may not be required for your unique environment, so if its not ignore this section from this guide, however its covered here for people who do need it.

That will look like this, again amend the values in bold for your environment:

psexec.exe -low \\<target_server> reg add HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters /v "Http Connection Proxy Url" /t REG_SZ /d "<proxy-server><proxy-port>"

This means for my environment the command would look like this:

psexec.exe -low \\mmatest.bears.local reg add HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters /v "Http Connection Proxy Url" /t REG_SZ /d "logcollector.bears.local:6700"

Confirm it worked

You will know this was worked when you get data from that server to your log collector, however if you would like to visually check a server, then login and head to the control panel (not the settings) and find the "Microsoft Monitoring Agent" in there, like this:



Open this up and navigate to the OMS tab then check the status contains a green tick to confirm its connected.



However if your looks like this, then you cannot talk Azure and probably need a proxy to get data to the data collector, in this case run the proxy section of this guide.



Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„