Search:

CrowdStrike

Tools

CrowdStrike Falcon (RTR)

You can deploy DumpIt with CrowdStrike Falcon (Real Time Response) quite easily.

For more information on RTR, you can refer to the slides of Jim Miller.

Step 1. Prepare copies of Comae Toolkit in your CrowdStrike Cloud.

Make sure that your copy of DumpIt, Comae-Toolkit.zip and/or your related response scripts are stored in the CrowdStrike Cloud. This way you can deploy them even when an endpoint is isolated (via Network Containment feature).

You have to use the file names and script names used in the CrowdStrike Cloud.

Step 2. Create your RTR working directory.

C:\> mkdir "C:\RTR"
C:\> cd "C:\RTR"
C:\RTR>

Step 3. Run DumpIt directly (Option 1)

put "DumpIt-x64.exe"
runscript -Raw=```.\DumpIt-x64.exe /QUIET /COMPRESS /OUTPUT C:\RTR\FullDump.dmp 2>&1 | Out-File C:\RTR\DumpIt.log```
rm -force "C:\RTR\DumpIt-x64.exe"

Step 3. Leverage the PowerShell module (Option 2)

put Comae-Toolkit.zip
Expand-Archive -path "Comae-Toolkit.zip" -destinationpath "C:\RTR\Comae-Toolkit"
cd C:\RTR\Comae-Toolkit\x64\
Import-Module .\Comae.ps1

And you can now leverage your favorite Comae commands and even leverage Comae API for your memory analysis.

Since the maximum file size for collection with the CrowdStrike RTR command get is 4GBs, we recommend to use the PowerShell module and the PowerShell command New-ComaeSnapshot which will create an archive instead of a full memory dump with all the metadata extracted from memory. Locally processing memory allows you to scale memory analysis better.

New-ComaeSnapshot -Directory "C:\RTR\Artifacts"
ls C:\RTR\Artifacts
get C:\RTR\Artifacts\<filename>.json.zip