Install ThreatLocker Agent Scripted action broken?

Is the Scripted action to install ThreatLocker working for anyone? It seems to me ThreatLocker might have added an authentication requirement that is causing it to fail. I get the Failed to get GroupId result. I tried piecing together the Invoke-RestMethod piece, and running it in Powershell, and I got this error: 

401 - Unauthorized: Access is denied due to invalid credentials.

Weirdly, if I put in a new $ThreatLockerOrgName, the organization was added in the ThreatLocker portal. I just wasn't getting the response needed to build $GroupId. 

I htink I have a workaround though. I'm going to download the generic stub installer and run it with parameters to set the instance, company, and key. 

0

Comments (3 comments)

Avatar
Nick Wagner

Hi Peter. Thanks for bringing up. It looks like ThreatLocker has changed their api somewhat, and we're working on an update to the script that should get it working again.

0
Avatar
Peter Yasuda
(Edited )

Hi Nick, 

In case it helps, here's what worked for me. There are 2 items I have hard coded that you'll want to fix: the instance, which is X for us (not really), and the rmm, which is Kaseya for us. You probably don't need the x86 installer; this was adapted from something run on physical machines. 
 
 
# description: Install the ThreatLocker agent. Rewritten based on the Kaseya VSA procedure.
# execution mode: Individual
 
<#
Notes:
This script borrows heavily from the Kaseya VSA procedure. 
These Secure Variables must be set (Secure Variables have a 20 character maximum):
  1. ThreatLockerUniqueId = The unique identifier GUID assigned 
  2. ThreatLockerOrgId = The organization identifier, listed under the Organization Name in the ThreatLocker portal
The ThreatLocker Instance, X, is hard coded, as is the rmm, kaseya.
#>
 
# Configure powershell logging
$SaveVerbosePreference = $VerbosePreference
$VerbosePreference = 'continue'
$VMTime = Get-Date
$LogTime = $VMTime.ToUniversalTime()
mkdir "$env:windir\Temp\NerdioManagerLogs\ScriptedActions\ThreatLockerInstall_sa" -Force
Start-Transcript -Path "$env:windir\Temp\NerdioManagerLogs\ScriptedActions\ThreatLockerInstall_sa\ps_log.txt" -Append -IncludeInvocationHeader
Write-Host "################# New Script Run #################"
Write-host "Current time (UTC-0): $LogTime"
 
##### Required Variables #####
 
$ThreatLockerUniqueId = $SecureVars.ThreatLockerUniqueId
$ThreatLockerOrgId = $SecureVars.ThreatLockerOrgId
 
##### Script Logic #####
 
# Secure Variables check
if(($null -eq $ThreatLockerOrgId) -or ($null -eq $ThreatLockerUniqueId))  {
    Write-Host "ERROR: The secure variables ThreatLockerOrgId and/or ThreatLockerUniqueId are not provided"
    Exit 13
}
 
# Download x64 or x86 stub installer
if ([Environment]::Is64BitOperatingSystem) {
    $InstallerName = "threatlockerstubx64.exe"
    Write-Host "Download x64 stub installer"
}
else {
    $InstallerName = "threatlockerstubx86.exe"
    Write-Host "Download x86 stub installer"
}
$InstallerPath = Join-Path $Env:TMP $InstallerName
Invoke-WebRequest -Uri $DownloadURL -OutFile $InstallerPath
Write-Host "Stub installer downloaded to $InstallerPath"
 
# Install ThreatLocker
Write-Host "Installing ThreatLocker"
Start-Process $InstallerPath "Instance=`"X`" company=`"$ThreatLockerOrgId`" key=`"$ThreatLockerUniqueId`" rmm=`"kaseya`"" -Wait
 
# Wait 20 seconds, then check whether the ThreatLockerService service is running
Start-Sleep -Seconds 20
If ((Get-Service ThreatLockerService | Select-Object -ExpandProperty Status) -ne "Running") {
    Write-Host "ThreatLockerService service NOT running"
Else {
    Write-Host "ThreatLockerService service is running"
}
 
# Delete the stub installer
Remove-Item $InstallerPath
Write-Host "Deleted $InstallerPath"
 
# End Logging
Stop-Transcript
$VerbosePreference=$SaveVerbosePreference
0
Avatar
Nick Wagner

Thanks, Peter. I've updated the script to support an optional ThreatLockerInstance variable, which defaults to 'g' as the most common instance that most customers will be on. Also improved the output in case of errors.


0

Please sign in to leave a comment.