DataSecurity Plus shuwtdown script

DataSecurity Plus shuwtdown script

I'm trying to use the shutdown script for the ransomware event (slightly modified from sample) but i'm unable to get the computer and user causing the alert.

i've setup the alert to launch this script

C:\scripts\triggerShutdown.bat %user_name% %server_name% (i know the parameters are'nt the correct one but i'm trying everything...)

the script look like this:

@echo off
c:
cd \scripts
date /t >> alert.log
time /t >> alert.log
echo %1 %2 %3 %4 %5 %6 %7 %8 %9  >> alert.log

REM net use \\%1 <password> /USER:<username>

REM c:\pstools\pskill -nobanner -t \\%1 %2 >> >> alert.log
REM shutdown.exe /s /m \\%1 /t 0 >> >> alert.log

and in my log i've this

Wed 02/05/2020 
01:26 PM
%user_name% %server_name%

instead of the real user name and server name

and in the application log  (C:\Program Files (x86)\ManageEngine\DataSecurity Plus\logs\ReportLog_2020-02-05.txt) i've this

[13:26:05:178]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Executing command C:\scripts\triggerShutdown.cmd %user_name% %server_name% |
[13:26:05:178]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Sending alert mail to XXX
[13:26:05:178]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Executing command C:\scripts\triggerShutdown.cmd %user_name% %server_name% |
[13:26:05:178]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Sending alert mail to XXX
[13:26:05:178]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Executing command C:\scripts\triggerShutdown.cmd %user_name% %server_name% |
[13:26:05:194]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Sending alert mail to XXX
[13:26:05:194]|[02-05-2020]|[ReportLogger]|[INFO]|[126]: Executing command C:\scripts\triggerShutdown.cmd %user_name% %server_name% |

so it seem that the product do not pass the parameters as i expext  from what i've read from online help

    Executables and Batch Scripts -

    Format: filename [parameter1] [parameter 2] [parameter n]

    Example 1: C:\users\test.bat

    Example 2: C:\users\demo.bat %user_name% %server_name%

    Example 3: C:\users\example.exe

     
  1. List of all parameters which can be used:

    • %user_name% will be replaced with the name of the user who generated the alert.

    • %server_name% will be replaced with the name of the server where the alert was generated.

    • %user_sid% will be replaced with the SID of the user who generated the alert.

    • %local_path% will be replaced with the location of the file for which the event was generated.

    • %process_name% will be replaced with the name of the process that generated the event.

    • %old_share_path% will be replaced with the old location of the file for which the event was generated.

    • %new_share_path% will be replaced with the new location of the file for which the event was generated.

    • %client_ip% will be replaced with the ip of the client host.

    • %client_host% will be replaced with the name of the client host. 

at this point i'm really stumped...