Collect DFIR Artifacts Using PsExec and the Cyber Triage Collector

Cyber Triage

5 Aug 202405:41

Summary

TLDRThis session demonstrates the use of Cyber Triage's network-based collection feature, utilizing PowerShell's PSExec tool to remotely launch the Cyber Triage Collector on a target system. The process requires no manual interaction and necessitates file sharing, admin credentials, and network communication. It's commonly used by internal IR teams for endpoint investigations and can be automated via Security Automation and Orchestration (SOAR) platforms. The setup involves enabling PSExec, configuring Cyber Triage's options, and ensuring the necessary ports are open. The demonstration shows how to initiate a collection, customize it, and view real-time data as it streams back for immediate analysis.

Takeaways

🔧 The session demonstrates using a network-based collection tool pushed out from the Cyber Triage application to the endpoint using PSExec.
💻 Cyber Triage Collector is launched on the target system, gathers data, and sends it back to the Cyber Triage application.
🛠️ PSExec is a tool from Microsoft, part of the Sysinternals Suite, used to execute processes on remote systems.
🔑 Admin credentials and file sharing enabled on the target system are required for the process.
🌐 Network communication must be established between the Cyber Triage platform and the target system.
👥 This approach is commonly used by internal IR teams to gather more information about an endpoint that has triggered an alert.
🔄 PSExec can be configured to run automatically with a SIEM, leveraging Cyber Triage's REST API for server environments.
📝 Setting up PSExec involves downloading it from Microsoft and configuring it within Cyber Triage's options panel.
🚀 Cyber Triage uses Port 443 by default for receiving data streams, which should be open in the firewall settings.
📊 Customizing the collection can be done to collect hashes instead of file content to reduce network traffic and speed up the process.
📈 The data collection progress is visible, and once complete, investigators can dive into the host dashboard for immediate analysis.

Q & A

What is the primary function of Cyber Triage in this session?
-Cyber Triage is used to collect forensic data from a target system over a network using the PSExec tool. The collected data is then sent back to the Cyber Triage application for analysis.
What is PSExec and why is it necessary for Cyber Triage?
-PSExec is a tool from Microsoft's Sysinternals suite that allows remote execution of processes on target systems. It is necessary for Cyber Triage to remotely launch the forensic data collector on the target system.
What are the key requirements to run Cyber Triage with PSExec?
-The key requirements include file sharing enabled on the target system, administrative credentials for the target system, and proper network communication between the Cyber Triage platform and the target system.
In which environments is the PSExec-based approach commonly used?
-This approach is most commonly used in Security Operations Centers (SOC) and internal Incident Response (IR) teams. It is also used by consultants, though less frequently, and in automated environments through Security Information and Event Management (SIEM) systems.
How can SIEM systems integrate with Cyber Triage for automatic data collection?
-SIEM systems can trigger automatic data collection by leveraging the Cyber Triage REST API when an alert of a certain severity is detected. This setup allows for remote forensic data collection without manual intervention.
What is the default port used by Cyber Triage for receiving data from the target system?
-Cyber Triage uses port 443 by default to receive the incoming data stream from the target system. This can be changed in the options if necessary.
When is the Cyber Triage platform listening on the designated port?
-The Cyber Triage platform only listens on the designated port (e.g., port 443) when a data collection process has been initiated.
What types of data can be customized during the collection process?
-During the collection process, users can customize the data collection to reduce the amount of traffic, such as collecting only file hashes (e.g., MD5s) rather than the actual file content.
What happens once the data starts streaming back to Cyber Triage?
-Once the data starts streaming back to Cyber Triage, it is processed in real time, and investigators can begin analyzing the results immediately as they come in.
Can investigators wait until all data is ingested before starting the analysis?
-Yes, investigators can choose to either start their investigation immediately as the data comes in or wait until all the data has been fully ingested and processed.