Wake-on-LAN with Tanium

Ops teams perpetually exist between a rock (Users) and a hard place (InfoSec).  Workstations require ongoing deployments to receive new configurations, software, and updates but doing so too aggressively causes an uproar.  To avoid this, Ops teams tend to deploy in the evenings to systems that are online.  Unfortunately, many users have a tendency to turn off their systems and you may have reason to wake them up.  Luckily, one needn’t rage to wake up these machines; some simple scripts will get the job done. 

I recently had the opportunity to discuss the content with Ashley McGlone on the Go Tanium Tech Talks show. Check it out ^_^

Theory of Use

The content in this post is intended to address three potential needs of Ops teams:

1. Focused Broadcast: All targeted peers send Magic Packets to a given MAC address if that MAC address is in their ARP cache.
2. Subnet-Directed Broadcast: All targeted members of a given subnet send Magic Packets to all entries in their respective ARP caches.
3. Global Broadcast: All targeted endpoints send Magic Packets to all entries in their respective ARP caches.

The Tanium platform does not yet offer a native solution for waking systems up. The platform does however utilize a client peering architecture that makes this functionality very attainable.

The Solution(s)

The linear peer chain that is the foundational element of Tanium client communications gives us a unique opportunity when paired with the Get-NetNeighbor cmdlet (ARP cache) and a community sourced script for creating and distributing magic packets with PowerShell.

Send-Packet Script

The Send-Packet function was sourced from here and adapted by Ammaar Limbada based on content originally written by Matthijs ten Seldam. This script takes a given MAC address and leverages PowerShell and .NET to construct and send a magic packet. The controller script dot-sources this content both for clarity and to ensure ease of attribution.

Controller Script – wakeController.ps1

The controller script is what the Tanium Package will selectively invoke on endpoints to achieve Wake-on-LAN.

Tanium Sensor – Find Net Neighbor

The critical elements of the Find Net Neighbor sensor are as follows. Please refer to the reference image to see the full-resolution details.

Tanium Package – Tanium Wake-on-LAN

• Package Name: Tanium Wake-on-LAN
• Display Name: Tanium Wake-on-LAN
• Command: cmd /c powershell.exe -ExecutionPolicy Bypass -File “.\wakeController.ps1” -TargetMAC $1
• Files
  • Send-Packet.ps1
  • wakeController.ps1
• Parameter $1
  • Label: TargetMAC
  • Options
    • Provide Default Value
      • FF:FF:FF:FF:FF:FF
    • Provide Max Chars
      • 17
    • Validate Expressions
      • ([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4})
      • Please provide a valid MAC address.
• Reference Image

Usage

There are three ways to utilize this content once it is all assembled within Tanium.

Focused Broadcast

A Focused Broadcast requires a MAC address. This data can be found for a given endpoint within Asset and may also be available as a cached result depending on your environment. You may also be able to refer to your CMDB for this information.

If the MAC Address Sensor is registered, you can use the following question to get the information:

Get MAC Address from all machines with computer name matches SomeOfflineEndpoint

Let’s say that the MAC address for the previous example was 00-25-22-A2-5D-24. We then need to ask the following question:

Get Online from all machines with ( Is Windows equals True and Find Net Neighbor[00-25-22-A2-5D-24] equals True )

Select the True column and click Deploy Action. In the Action Deployment screen, select the Tanium Wake-on-LAN package, enter [YourTargetMACAddress] into the TargetMAC parameter, select any other options you believe relevant, and then Preview / Deploy Action.

Subnet-Directed Broadcast

This option largely mirrors the Focused Broadcast but does not require a specific MAC address. You will instead target by subnet. An example question that can provide a list of your client subnets is shown below:

Get Tanium Client Subnet from all machines with ( ( Tanium Back Peer Address equals NoAddress_NoAddress and all Tanium Peer Address not equals NoAddress_NoAddress and Windows OS Type contains workstation ) or ( Tanium Peer Address equals NoAddress_NoAddress and all Tanium Back Peer Address not equals NoAddress_NoAddress and Windows OS Type contains workstation ) or Is Virtual contains no )

Note: I specifically use the Tanium Peer Address / Tanium Back Peer Address logic to exclude devices with no peers because sending this content to Isolated / VPN subnets serves no purpose and needlessly consumes bandwidth.

Select the column(s) of the subnet(s) whose clients you wish to wake and click Deploy Action. Select the Tanium Wake-on-LAN package in the Action Deployment screen, leave the default TargetMAC parameter in place, select any other options you believe relevant, and then Preview / Deploy Action.

Global Broadcast

This option is similar to the Subnet-Directed broadcast except you will target all physical workstations.

Get Online from all machines with ( ( Tanium Back Peer Address equals NoAddress_NoAddress and ( all Tanium Peer Address not equals NoAddress_NoAddress and Windows OS Type contains workstation ) ) or ( ( Tanium Peer Address equals NoAddress_NoAddress and ( all Tanium Back Peer Address not equals NoAddress_NoAddress and Windows OS Type contains workstation ) ) or Is Virtual contains no ) )

Select the True column and click Deploy Action. Select the Tanium Wake-on-LAN package in the Action Deployment screen, leave the default TargetMAC parameter in place, select any other options (Consider Distribute Over Time) you believe relevant, and then Preview / Deploy Action.

It probably goes without saying but one should proceed cautiously with a Global Broadcast. Utilizing Distribute Over Time with the Tanium Wake-on-LAN package would be advisable if you suspect that some locations have a lot of sleeping systems.

Disclaimer: Any code made available on this site is free to use at your own discretion but it is provided without any explicit or implied guarantees of support, reliability, or functionality. I accept no responsibility in the event that the code, in its original form or any derivative versions thereafter, malfunctions or causes problems . Anything from this site that you decide to work with should be tested thoroughly in development environments in collaboration with your Technical Account Manager (TAM) until such time that you, the responsible party, decides that you are satisfied with its outcomes.