Collect DFIR Artifacts Using PsExec and the Cyber Triage Collector
Summary
TLDRThis session demonstrates the use of Cyber Triage's network-based collection feature, utilizing PowerShell's PSExec tool to remotely launch the Cyber Triage Collector on a target system. The process requires no manual interaction and necessitates file sharing, admin credentials, and network communication. It's commonly used by internal IR teams for endpoint investigations and can be automated via Security Automation and Orchestration (SOAR) platforms. The setup involves enabling PSExec, configuring Cyber Triage's options, and ensuring the necessary ports are open. The demonstration shows how to initiate a collection, customize it, and view real-time data as it streams back for immediate analysis.
Takeaways
- 🔧 The session demonstrates using a network-based collection tool pushed out from the Cyber Triage application to the endpoint using PSExec.
- 💻 Cyber Triage Collector is launched on the target system, gathers data, and sends it back to the Cyber Triage application.
- 🛠️ PSExec is a tool from Microsoft, part of the Sysinternals Suite, used to execute processes on remote systems.
- 🔑 Admin credentials and file sharing enabled on the target system are required for the process.
- 🌐 Network communication must be established between the Cyber Triage platform and the target system.
- 👥 This approach is commonly used by internal IR teams to gather more information about an endpoint that has triggered an alert.
- 🔄 PSExec can be configured to run automatically with a SIEM, leveraging Cyber Triage's REST API for server environments.
- 📝 Setting up PSExec involves downloading it from Microsoft and configuring it within Cyber Triage's options panel.
- 🚀 Cyber Triage uses Port 443 by default for receiving data streams, which should be open in the firewall settings.
- 📊 Customizing the collection can be done to collect hashes instead of file content to reduce network traffic and speed up the process.
- 📈 The data collection progress is visible, and once complete, investigators can dive into the host dashboard for immediate analysis.
Q & A
What is the primary function of Cyber Triage in this session?
-Cyber Triage is used to collect forensic data from a target system over a network using the PSExec tool. The collected data is then sent back to the Cyber Triage application for analysis.
What is PSExec and why is it necessary for Cyber Triage?
-PSExec is a tool from Microsoft's Sysinternals suite that allows remote execution of processes on target systems. It is necessary for Cyber Triage to remotely launch the forensic data collector on the target system.
What are the key requirements to run Cyber Triage with PSExec?
-The key requirements include file sharing enabled on the target system, administrative credentials for the target system, and proper network communication between the Cyber Triage platform and the target system.
In which environments is the PSExec-based approach commonly used?
-This approach is most commonly used in Security Operations Centers (SOC) and internal Incident Response (IR) teams. It is also used by consultants, though less frequently, and in automated environments through Security Information and Event Management (SIEM) systems.
How can SIEM systems integrate with Cyber Triage for automatic data collection?
-SIEM systems can trigger automatic data collection by leveraging the Cyber Triage REST API when an alert of a certain severity is detected. This setup allows for remote forensic data collection without manual intervention.
What is the default port used by Cyber Triage for receiving data from the target system?
-Cyber Triage uses port 443 by default to receive the incoming data stream from the target system. This can be changed in the options if necessary.
When is the Cyber Triage platform listening on the designated port?
-The Cyber Triage platform only listens on the designated port (e.g., port 443) when a data collection process has been initiated.
What types of data can be customized during the collection process?
-During the collection process, users can customize the data collection to reduce the amount of traffic, such as collecting only file hashes (e.g., MD5s) rather than the actual file content.
What happens once the data starts streaming back to Cyber Triage?
-Once the data starts streaming back to Cyber Triage, it is processed in real time, and investigators can begin analyzing the results immediately as they come in.
Can investigators wait until all data is ingested before starting the analysis?
-Yes, investigators can choose to either start their investigation immediately as the data comes in or wait until all the data has been fully ingested and processed.
Outlines
🔍 Network-Based Collection with Cyber Triage
This paragraph explains how to utilize a network-based collection tool from Cyber Triage, which is deployed to an endpoint using PowerShell (PS) Execute. The process is automated, requiring no interaction with the remote system. It necessitates having PowerShell Execute available on the system, file sharing enabled on the target system, administrative credentials, and network communication between the Cyber Triage platform and the target system. The tool is commonly used in internal IR teams for additional information on an endpoint that has triggered an alert, by consultants with client permissions, and automatically in server environments through integration with Security Automation and Orchestration Response (SOAR) platforms. The setup involves downloading PowerShell Execute from Microsoft and configuring it within Cyber Triage's settings. Cyber Triage listens on Port 443 for incoming data streams, which should be open in the firewall. The demonstration shows how to add a new host and configure the collection, opting for a minimal collection of hashes to reduce network traffic and speed up the process.
📊 Real-Time Data Processing in Cyber Triage
The second paragraph describes the real-time data processing capabilities of Cyber Triage once the data starts streaming back from the endpoint. As the data is processed, it becomes available for immediate investigation. Users can either start analyzing the results as they come in or wait until the entire data set has been ingested. The status of the data ingestion is marked as complete, signaling readiness for a comprehensive investigation. This feature allows for a swift response to security alerts and the ability to act on the insights gathered from the endpoint data.
Mindmap
Keywords
💡Cyber triage
💡PSExec
💡Endpoint
💡Admin credentials
💡File sharing
💡MD5
💡SOCs (Security Operations Centers)
💡SIEM (Security Information and Event Management)
💡Rest API
💡Firewall
Highlights
Using a network-based collection pushed out from the Cyber Triage application to the endpoint using PSExec.
Cyber Triage Collector is launched on the target system, and results are fed back over the network to the Cyber Triage application.
No manual interaction is required with the remote system, as everything is done from the Cyber Triage analysis platform.
Key requirements include file sharing enabled on the target system, admin credentials, and network communication between the Cyber Triage platform and the target system.
PSExec is part of Microsoft's Sysinternals toolkit, essential for launching Cyber Triage Collector.
Common usage of PSExec is within a SOC (Security Operations Center) for endpoint alerts or internal incident response teams.
Cyber Triage can also be triggered by a SIEM (Security Information and Event Management) using the REST API.
SIEM can automatically initiate remote collection upon alert, enabling quick access to relevant data for investigation.
PSExec is downloaded directly from Microsoft, and the configuration is managed within the Cyber Triage options panel.
Cyber Triage uses port 443 by default to receive data streams from the endpoint, but the port is only open when a collection has started.
The data stream starts to process in real-time, allowing investigators to begin analyzing results immediately.
For network-based collection, the user enters the domain, host name, username, and credentials.
Users can customize their data collection settings, such as collecting MD5 hashes without transferring actual file content to minimize network traffic.
The system shows collection progress in the host dashboard as data is streamed back and processed.
Once data processing is complete, the user can begin or continue the investigation, depending on their preference.
Transcripts
[Music]
hi there in this session we're going to
be taking a look at using a
network-based cotage collection that is
actually pushed out from the cotage
application to the endpoint using PS
exac the way this works pretty
straightforward Sage is used to Launch
The cyberage Collector onto the target
system cyberage collector is launched
and run on that Target system and then
the results are fed back over the
network back to the Cyber trage
application so to use this or run this
we do need to have P exac available on
the system uh p exac is just a tool from
Microsoft part of the CIS internals
toolkit I'm sure most of you are are
very familiar with it the beauty of this
is it requires no no manual interaction
with that remote system everything is is
done from the Cyber triage analysis
platform only requirements are that you
have file sharing enabled on the remote
system or on the target system you need
admin credentials uh for that remote
system and also obviously you need
network communication uh from or to and
from your cyber triage platform out to
that Target system and then back again
there are a few few different
environments where we see this P exac
approach being used probably the most
common is within a sock internal IR team
type situation where an endpoint has
triggered alert you want to get more
information about it same sort of thing
for Consultants little less common
probably depending on on how willing
your client may be to give you admin
credentials to the
network uh but exactly the same sort of
approach and then finally we see it
happening um automatically with a seam
where the client will configure the seam
to actually leverage the sra's rest API
this is more likely to be used in a
server type environment so team
environment and then the seam gets an
alert of a particular severity that then
calls cyber triage rest API and triggers
off that remote collection so
investigator comes in they've got the
seam alert and they've got that
collection that's been kicked off so
they can start diving in and getting the
details straight away in terms of of
setting up it's pretty straightforward
you need to have PS Z on the system
that's just a straightforward download
from Microsoft you then go into your
cyberage options panel and configure it
within the settings here if it hasn't
been configured the first time you go to
run it you'll actually be prompted to go
in and configure it and we'll actually
see uh me doing that in the
demonstration cyber trage uses Port 443
by default uh to receive that incoming
stream from the endpoint you can change
it in options if you need to um just
note that also you obviously need to
have the firewall open on that Port
significantly the port is only going to
be open cber TR is is only going to be
listening on that Port when there is
actually a collection that that has been
started that's dive into a
demonstration to get things started
click on the add new host button and
then go to network P PS exac button from
there if you haven't got PS exac already
configured you'll be prompted to go
through and find it and set it up uh and
you also need to check the end user
license agreement once that's done go
back and select that ad host using
network P exac enter the domain name the
host
name and then username and
credentials next we have the chance to
customize our collection if we so desire
in this instance we are going for a
fairly minimal collection and collecting
hashes not actual file content just to
reduce the volume of traffic over the
network and speed things up a little
bit we are going to to check all the
md5's for
malware kick it off you'll see uh the
progress showing in the
status and then once that's complete
you're ready to dive on into the
investigation what you'll see now is
once the data starts streaming back in
you'll automatically launch into that
host
dashboard and then be able to see
progress as it can
continues as the data is getting
stringed back to cyber triage it is then
start getting processed which means you
can actually go in and start looking at
those results as they're coming in that
information will be available as soon as
it has been
processed you can either kick off your
investigation straight away or if you
prefer wait until everything has been
ingested you can then see the status is
all marked out as complete and then you
kick off with your investigation
تصفح المزيد من مقاطع الفيديو ذات الصلة
Uncovering Cyber Threats: EDR vs SIEM Comparison #cybersecurity #cyber #risk #threats #detective
SMT 2-6 Sniffing
Introduction to Cyber Triage - Fast Forensics for Incident Response
Network Traffic Anomaly Detection Using Machine Learning
MITRE ATT&CK Framework for Beginners
Unicasts, Broadcasts, and Multicasts - CompTIA Network+ N10-007 - 1.3
5.0 / 5 (0 votes)