Search:

Chapter 5

Although you can already use PSExec, there are also ways to leverage your endpoints to enhance your incident response procedures.

CarbonBlack

Tools

CarbonBlack

CarbonBlack provides Live Response capabilities.

Prerequisities

Install Carbon Black Python API

pip install cbapi

More information can be found on CarbonBlack API Documentation.

Configure the authentification profile(s)

You will need a your Live Response API Token.

More information can be found on CarbonBlack's API Credentials to learn more about initializing the credentials file credentials.psc.

Utility

The target machine needs to have the Live Response feature enabled. There is a flag called LIVE_RESPONSE_ENABLED associated to sensors flags.

The comae-carbonblack.py utility is available on our GitHub.

Step 1. List LR-enabled machines

PS comae-cli\python\tools> .\comae-carbonblack.py --list
  comae-carbonblack.py
  Comae Utility for CarbonBlack Live Response.
  Copyright (C) 2020, Comae Technologies DMCC <https://www.comae.com>
  All rights reserved.

[+] Devices with Live Response enabled (LR):

 ID        OS        Version              Hostname                                 IP Address
 --        --        -------              --------                                 -----------
  3336266 WINDOWS   Windows Server 2016 x64 DESKTOP-1234567                       XXX.XXX.XXX.XXX
  3090072 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3238121 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  2044290 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3078944 WINDOWS   Windows 8.1 x64      DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3141986 LINUX     Amazon Linux 2.0     aws-comae-2                              XXX.XXX.XXX.XXX
  2950646 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3263873 WINDOWS   Server 2012 R2 x64   SERVER-1234567                           XXX.XXX.XXX.XXX
  3099573 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  2643397 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3090072 WINDOWS   Windows 10 x64       DESKTOP-ABCDEF                           YYY.YYY.YYY.YYY
  1161629 WINDOWS   Windows 7 x64 SP: 1  DESKTOP-1234567                          XXX.XXX.XXX.XXX
  2689956 WINDOWS   Windows 10 x64       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  1155127 WINDOWS   Windows 7 x86 SP: 1  DESKTOP-1234567                          XXX.XXX.XXX.XXX
   607519 WINDOWS   Windows 7 x64 SP: 1  DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3078750 WINDOWS   Windows 10 x86       DESKTOP-1234567                          XXX.XXX.XXX.XXX
  3238357 MAC       MAC OS X 10.15.1     192.168.1.4                              XXX.XXX.XXX.XXX
  (...)

Step 2. Action!

In this second step, we will chose one of the above machines to run Comae utilities to capture memory as a Microsoft crash dump with Dumpit, and Comae PowerShell API to send the memory image to Comae Cloud for analysis.

You will need to pass 4 parameters to the script.

  • The device Id. (--device-id)
  • Your Comae Id. (--comae-client-id)
  • Your Comae Secret. (--comae-client-secret)
  • The full path to your Comae Toolkit local copy. (--comae-dir )

You can obtain your Comae Credentials from the Settings panel in the Comae Dashboard.

PS comae-cli\python\tools> .\comae-carbonblack.py --device-id 3090072 --comae-client-id <ComaeId> --comae-client-secret <ComaeSecret> --comae-dir C:\Users\msuiche\Downloads\Comae-Toolkit-3.0.20200224.1
  comae-carbonblack.py
  Comae Utility for CarbonBlack Live Response.
  Copyright (C) 2020, Comae Technologies DMCC <https://www.comae.com>
  All rights reserved.

[+] Selecting Device Id: 3090072

ID        OS        Version              Hostname                                 IP Address
 --        --        -------              --------                                 -----------
  3090072 WINDOWS   Windows 10 x64       DESKTOP-ABCDEF                           YYY.YYY.YYY.YYY

[+] Comae Directory: C:\Users\msuiche\Downloads\Comae-Toolkit-3.0.20200224.1

   Directory: C:\Comae\

 Length    Name
 ------    ----
        0 .
        0 ..
    18749 Comae.ps1
     1173 ComaeRespond.ps1
   625480 DumpIt.exe
        0 f63effa0-d13f-4792-ad06-817fb0297fdd

Memory image (DESKTOP-ABCDEF) successfully sent to Comae Cloud!
PS comae-cli\python\tools>

CrowdStrike

Tools

CrowdStrike Falcon (RTR)

You can deploy DumpIt with CrowdStrike Falcon (Real Time Response) quite easily.

For more information on RTR, you can refer to the slides of Jim Miller.

Step 1. Prepare copies of Comae Toolkit in your CrowdStrike Cloud.

Make sure that your copy of DumpIt, Comae-Toolkit.zip and/or your related response scripts are stored in the CrowdStrike Cloud. This way you can deploy them even when an endpoint is isolated (via Network Containment feature).

You have to use the file names and script names used in the CrowdStrike Cloud.

Step 2. Create your RTR working directory.

C:\> mkdir "C:\RTR"
C:\> cd "C:\RTR"
C:\RTR>

Step 3. Run DumpIt directly (Option 1)

put "DumpIt-x64.exe"
runscript -Raw=```.\DumpIt-x64.exe /QUIET /COMPRESS /OUTPUT C:\RTR\FullDump.dmp 2>&1 | Out-File C:\RTR\DumpIt.log```
rm -force "C:\RTR\DumpIt-x64.exe"

Step 3. Leverage the PowerShell module (Option 2)

put Comae-Toolkit.zip
Expand-Archive -path "Comae-Toolkit.zip" -destinationpath "C:\RTR\Comae-Toolkit"
cd C:\RTR\Comae-Toolkit\x64\
Import-Module .\Comae.ps1

And you can now leverage your favorite Comae commands and even leverage Comae API for your memory analysis.

Since the maximum file size for collection with the CrowdStrike RTR command get is 4GBs, we recommend to use the PowerShell module and the PowerShell command New-ComaeSnapshot which will create an archive instead of a full memory dump with all the metadata extracted from memory. Locally processing memory allows you to scale memory analysis better.

New-ComaeSnapshot -Directory "C:\RTR\Artifacts"
ls C:\RTR\Artifacts
get C:\RTR\Artifacts\<filename>.json.zip