Collect DFIR Artifacts Using PsExec and the Cyber Triage Collector

Cyber Triage
5 Aug 202405:41

Summary

TLDRThis session demonstrates the use of Cyber Triage's network-based collection feature, utilizing PowerShell's PSExec tool to remotely launch the Cyber Triage Collector on a target system. The process requires no manual interaction and necessitates file sharing, admin credentials, and network communication. It's commonly used by internal IR teams for endpoint investigations and can be automated via Security Automation and Orchestration (SOAR) platforms. The setup involves enabling PSExec, configuring Cyber Triage's options, and ensuring the necessary ports are open. The demonstration shows how to initiate a collection, customize it, and view real-time data as it streams back for immediate analysis.

Takeaways

  • πŸ”§ The session demonstrates using a network-based collection tool pushed out from the Cyber Triage application to the endpoint using PSExec.
  • πŸ’» Cyber Triage Collector is launched on the target system, gathers data, and sends it back to the Cyber Triage application.
  • πŸ› οΈ PSExec is a tool from Microsoft, part of the Sysinternals Suite, used to execute processes on remote systems.
  • πŸ”‘ Admin credentials and file sharing enabled on the target system are required for the process.
  • 🌐 Network communication must be established between the Cyber Triage platform and the target system.
  • πŸ‘₯ This approach is commonly used by internal IR teams to gather more information about an endpoint that has triggered an alert.
  • πŸ”„ PSExec can be configured to run automatically with a SIEM, leveraging Cyber Triage's REST API for server environments.
  • πŸ“ Setting up PSExec involves downloading it from Microsoft and configuring it within Cyber Triage's options panel.
  • πŸš€ Cyber Triage uses Port 443 by default for receiving data streams, which should be open in the firewall settings.
  • πŸ“Š Customizing the collection can be done to collect hashes instead of file content to reduce network traffic and speed up the process.
  • πŸ“ˆ The data collection progress is visible, and once complete, investigators can dive into the host dashboard for immediate analysis.

Q & A

  • What is the primary function of Cyber Triage in this session?

    -Cyber Triage is used to collect forensic data from a target system over a network using the PSExec tool. The collected data is then sent back to the Cyber Triage application for analysis.

  • What is PSExec and why is it necessary for Cyber Triage?

    -PSExec is a tool from Microsoft's Sysinternals suite that allows remote execution of processes on target systems. It is necessary for Cyber Triage to remotely launch the forensic data collector on the target system.

  • What are the key requirements to run Cyber Triage with PSExec?

    -The key requirements include file sharing enabled on the target system, administrative credentials for the target system, and proper network communication between the Cyber Triage platform and the target system.

  • In which environments is the PSExec-based approach commonly used?

    -This approach is most commonly used in Security Operations Centers (SOC) and internal Incident Response (IR) teams. It is also used by consultants, though less frequently, and in automated environments through Security Information and Event Management (SIEM) systems.

  • How can SIEM systems integrate with Cyber Triage for automatic data collection?

    -SIEM systems can trigger automatic data collection by leveraging the Cyber Triage REST API when an alert of a certain severity is detected. This setup allows for remote forensic data collection without manual intervention.

  • What is the default port used by Cyber Triage for receiving data from the target system?

    -Cyber Triage uses port 443 by default to receive the incoming data stream from the target system. This can be changed in the options if necessary.

  • When is the Cyber Triage platform listening on the designated port?

    -The Cyber Triage platform only listens on the designated port (e.g., port 443) when a data collection process has been initiated.

  • What types of data can be customized during the collection process?

    -During the collection process, users can customize the data collection to reduce the amount of traffic, such as collecting only file hashes (e.g., MD5s) rather than the actual file content.

  • What happens once the data starts streaming back to Cyber Triage?

    -Once the data starts streaming back to Cyber Triage, it is processed in real time, and investigators can begin analyzing the results immediately as they come in.

  • Can investigators wait until all data is ingested before starting the analysis?

    -Yes, investigators can choose to either start their investigation immediately as the data comes in or wait until all the data has been fully ingested and processed.

Outlines

00:00

πŸ” Network-Based Collection with Cyber Triage

This paragraph explains how to utilize a network-based collection tool from Cyber Triage, which is deployed to an endpoint using PowerShell (PS) Execute. The process is automated, requiring no interaction with the remote system. It necessitates having PowerShell Execute available on the system, file sharing enabled on the target system, administrative credentials, and network communication between the Cyber Triage platform and the target system. The tool is commonly used in internal IR teams for additional information on an endpoint that has triggered an alert, by consultants with client permissions, and automatically in server environments through integration with Security Automation and Orchestration Response (SOAR) platforms. The setup involves downloading PowerShell Execute from Microsoft and configuring it within Cyber Triage's settings. Cyber Triage listens on Port 443 for incoming data streams, which should be open in the firewall. The demonstration shows how to add a new host and configure the collection, opting for a minimal collection of hashes to reduce network traffic and speed up the process.

05:00

πŸ“Š Real-Time Data Processing in Cyber Triage

The second paragraph describes the real-time data processing capabilities of Cyber Triage once the data starts streaming back from the endpoint. As the data is processed, it becomes available for immediate investigation. Users can either start analyzing the results as they come in or wait until the entire data set has been ingested. The status of the data ingestion is marked as complete, signaling readiness for a comprehensive investigation. This feature allows for a swift response to security alerts and the ability to act on the insights gathered from the endpoint data.

Mindmap

Keywords

πŸ’‘Cyber triage

Cyber triage is a digital forensics tool used to collect and analyze data from remote endpoints for investigative purposes. In the video, it acts as the platform that launches a collector onto the target system and processes the data collected over the network, allowing investigators to quickly respond to alerts triggered by potential security incidents.

πŸ’‘PSExec

PSExec is a tool from Microsoft's Sysinternals suite that allows users to execute processes on remote systems without needing to manually interact with the system. The video emphasizes that PSExec is used by the Cyber triage platform to initiate remote data collection from the target system, with the key advantage being that it requires no manual involvement on the remote machine.

πŸ’‘Endpoint

An endpoint refers to a device like a computer, server, or workstation that connects to a network. In the context of the video, the Cyber triage tool collects data from an endpoint where an alert has been triggered, gathering information for further analysis and investigation.

πŸ’‘Admin credentials

Admin credentials are the username and password required to gain administrative access to a system. The video mentions that these credentials are necessary to allow the Cyber triage platform to remotely collect data from the target system via PSExec, underscoring the need for privileged access during investigations.

πŸ’‘File sharing

File sharing refers to the ability to access files between systems over a network. In this video, file sharing must be enabled on the target system to allow Cyber triage to communicate with the endpoint and retrieve the necessary forensic data.

πŸ’‘MD5

MD5 is a widely used cryptographic hash function that produces a unique fingerprint of a file. The video shows how Cyber triage collects MD5 hashes of files (rather than the full file contents) to speed up network traffic and identify potential malware on the target system by comparing hash values to known malware signatures.

πŸ’‘SOCs (Security Operations Centers)

A SOC (Security Operations Center) is a centralized team responsible for monitoring, detecting, and responding to security incidents. The video describes how SOC teams use Cyber triage when an alert is triggered on an endpoint to quickly gather relevant data and begin an investigation.

πŸ’‘SIEM (Security Information and Event Management)

SIEM is a system used to collect and analyze security information from across an organization's infrastructure. In the video, SIEMs are shown to work with Cyber triage by automatically triggering remote collections when a security alert reaches a certain severity, streamlining the data collection process for investigators.

πŸ’‘Rest API

A Rest API (Representational State Transfer Application Programming Interface) allows communication between software applications over the internet. The video explains how Cyber triage's Rest API can be used by SIEMs to automatically trigger remote forensic data collections when specific alerts occur.

πŸ’‘Firewall

A firewall is a network security device that monitors and controls incoming and outgoing network traffic. In the video, the firewall must be configured to allow data to flow between the Cyber triage platform and the target system by opening the necessary port (port 443) for data collection over the network.

Highlights

Using a network-based collection pushed out from the Cyber Triage application to the endpoint using PSExec.

Cyber Triage Collector is launched on the target system, and results are fed back over the network to the Cyber Triage application.

No manual interaction is required with the remote system, as everything is done from the Cyber Triage analysis platform.

Key requirements include file sharing enabled on the target system, admin credentials, and network communication between the Cyber Triage platform and the target system.

PSExec is part of Microsoft's Sysinternals toolkit, essential for launching Cyber Triage Collector.

Common usage of PSExec is within a SOC (Security Operations Center) for endpoint alerts or internal incident response teams.

Cyber Triage can also be triggered by a SIEM (Security Information and Event Management) using the REST API.

SIEM can automatically initiate remote collection upon alert, enabling quick access to relevant data for investigation.

PSExec is downloaded directly from Microsoft, and the configuration is managed within the Cyber Triage options panel.

Cyber Triage uses port 443 by default to receive data streams from the endpoint, but the port is only open when a collection has started.

The data stream starts to process in real-time, allowing investigators to begin analyzing results immediately.

For network-based collection, the user enters the domain, host name, username, and credentials.

Users can customize their data collection settings, such as collecting MD5 hashes without transferring actual file content to minimize network traffic.

The system shows collection progress in the host dashboard as data is streamed back and processed.

Once data processing is complete, the user can begin or continue the investigation, depending on their preference.

Transcripts

play00:02

[Music]

play00:10

hi there in this session we're going to

play00:13

be taking a look at using a

play00:15

network-based cotage collection that is

play00:18

actually pushed out from the cotage

play00:21

application to the endpoint using PS

play00:24

exac the way this works pretty

play00:27

straightforward Sage is used to Launch

play00:30

The cyberage Collector onto the target

play00:32

system cyberage collector is launched

play00:35

and run on that Target system and then

play00:37

the results are fed back over the

play00:39

network back to the Cyber trage

play00:43

application so to use this or run this

play00:46

we do need to have P exac available on

play00:49

the system uh p exac is just a tool from

play00:52

Microsoft part of the CIS internals

play00:54

toolkit I'm sure most of you are are

play00:56

very familiar with it the beauty of this

play00:58

is it requires no no manual interaction

play01:01

with that remote system everything is is

play01:04

done from the Cyber triage analysis

play01:07

platform only requirements are that you

play01:10

have file sharing enabled on the remote

play01:11

system or on the target system you need

play01:13

admin credentials uh for that remote

play01:16

system and also obviously you need

play01:18

network communication uh from or to and

play01:21

from your cyber triage platform out to

play01:25

that Target system and then back again

play01:29

there are a few few different

play01:30

environments where we see this P exac

play01:34

approach being used probably the most

play01:36

common is within a sock internal IR team

play01:40

type situation where an endpoint has

play01:44

triggered alert you want to get more

play01:47

information about it same sort of thing

play01:49

for Consultants little less common

play01:52

probably depending on on how willing

play01:54

your client may be to give you admin

play01:55

credentials to the

play01:57

network uh but exactly the same sort of

play02:00

approach and then finally we see it

play02:02

happening um automatically with a seam

play02:07

where the client will configure the seam

play02:09

to actually leverage the sra's rest API

play02:12

this is more likely to be used in a

play02:14

server type environment so team

play02:17

environment and then the seam gets an

play02:21

alert of a particular severity that then

play02:23

calls cyber triage rest API and triggers

play02:27

off that remote collection so

play02:30

investigator comes in they've got the

play02:32

seam alert and they've got that

play02:34

collection that's been kicked off so

play02:36

they can start diving in and getting the

play02:37

details straight away in terms of of

play02:40

setting up it's pretty straightforward

play02:42

you need to have PS Z on the system

play02:45

that's just a straightforward download

play02:46

from Microsoft you then go into your

play02:49

cyberage options panel and configure it

play02:53

within the settings here if it hasn't

play02:55

been configured the first time you go to

play02:56

run it you'll actually be prompted to go

play02:58

in and configure it and we'll actually

play03:00

see uh me doing that in the

play03:02

demonstration cyber trage uses Port 443

play03:05

by default uh to receive that incoming

play03:08

stream from the endpoint you can change

play03:11

it in options if you need to um just

play03:15

note that also you obviously need to

play03:16

have the firewall open on that Port

play03:19

significantly the port is only going to

play03:21

be open cber TR is is only going to be

play03:24

listening on that Port when there is

play03:26

actually a collection that that has been

play03:28

started that's dive into a

play03:31

demonstration to get things started

play03:33

click on the add new host button and

play03:35

then go to network P PS exac button from

play03:39

there if you haven't got PS exac already

play03:43

configured you'll be prompted to go

play03:44

through and find it and set it up uh and

play03:48

you also need to check the end user

play03:50

license agreement once that's done go

play03:53

back and select that ad host using

play03:56

network P exac enter the domain name the

play04:00

host

play04:01

name and then username and

play04:07

credentials next we have the chance to

play04:09

customize our collection if we so desire

play04:12

in this instance we are going for a

play04:14

fairly minimal collection and collecting

play04:18

hashes not actual file content just to

play04:20

reduce the volume of traffic over the

play04:23

network and speed things up a little

play04:27

bit we are going to to check all the

play04:30

md5's for

play04:33

malware kick it off you'll see uh the

play04:36

progress showing in the

play04:40

status and then once that's complete

play04:43

you're ready to dive on into the

play04:46

investigation what you'll see now is

play04:48

once the data starts streaming back in

play04:52

you'll automatically launch into that

play04:54

host

play04:55

dashboard and then be able to see

play04:57

progress as it can

play05:00

continues as the data is getting

play05:02

stringed back to cyber triage it is then

play05:04

start getting processed which means you

play05:06

can actually go in and start looking at

play05:09

those results as they're coming in that

play05:11

information will be available as soon as

play05:13

it has been

play05:15

processed you can either kick off your

play05:17

investigation straight away or if you

play05:19

prefer wait until everything has been

play05:20

ingested you can then see the status is

play05:23

all marked out as complete and then you

play05:27

kick off with your investigation

Browse More Related Video

Uncovering Cyber Threats: EDR vs SIEM Comparison #cybersecurity #cyber #risk #threats #detective

SMT 2-6 Sniffing

Introduction to Cyber Triage - Fast Forensics for Incident Response

Network Traffic Anomaly Detection Using Machine Learning

MITRE ATT&CK Framework for Beginners

Unicasts, Broadcasts, and Multicasts - CompTIA Network+ N10-007 - 1.3

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Cyber TriagePSExecEndpoint AnalysisNetwork CollectionSecurity InvestigationIR TeamRemote SystemData CollectionThreat DetectionAutomated Response