![Page 1: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/1.jpg)
Greg Castle@mrgcastle
![Page 2: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/2.jpg)
Who am I
GRR Developer, Google IR teamOS X SecurityFormer lives: pentesting, IR, security audits etc.
![Page 3: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/3.jpg)
Skillz++
Understand how GRR worksSetup test server/clientCollect from single machineMemory analysisHunt multiple machinesFleetcheck using artifacts
![Page 4: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/4.jpg)
Live forensics
![Page 5: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/5.jpg)
GET /beacon HTTP/1.1Host: evil.com
from Joe’s machine
![Page 6: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/6.jpg)
![Page 7: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/7.jpg)
Joe is on vacation with 3G internet
GET /beacon HTTP/1.1Host: evil.com
![Page 8: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/8.jpg)
New APT Report
![Page 9: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/9.jpg)
![Page 10: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/10.jpg)
New malware report BEAR EAGLE SHARK
LASER is out: check all the things
![Page 11: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/11.jpg)
New malware report BEAR EAGLE SHARK
LASER is out: check all the things
50+ IOCs for Win/Mac and “all the things” is the machines of a highly mobile global
organisation with 50k+ employees
![Page 12: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/12.jpg)
GRR: GRR Rapid ResponseOpen source live forensicsAgent -> Internet -> ServerDisk Forensics = SleuthkitMemory Forensics = RekallScalableStable, low-impact clientFull-time devs
![Page 13: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/13.jpg)
Why build?
Customize for our threats/detection/defense50 people analyzing 50 machinesMove as fast or faster than the attackerSupport Mac/Win/Linux
![Page 14: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/14.jpg)
![Page 15: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/15.jpg)
Demo - Server Installation
Install instructions
(pls don’t pull this image down now it will kill the WiFi...)
![Page 16: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/16.jpg)
![Page 17: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/17.jpg)
Clients
Stable, robust, low impactMonitoredLimited10min poll
![Page 18: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/18.jpg)
Demo: Client searching
Search BoxServer Statistics
![Page 19: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/19.jpg)
Exercise: Finding clients
Find all the windows clientsFind the client that has a user “gladstone”- When was it installed?Find client OS release breakdown stats
![Page 20: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/20.jpg)
Solution: Finding clients
Top left search box:- “windows”- “gladstone” or “user:gladstone” (faster)Install date: “First Seen” in client summary line (note all times are UTC)
Show statistics -> Clients -> All -> OS Release Breakdown
![Page 21: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/21.jpg)
Smart Server, basic client
Time travel backwardsFaster build/fix/deployLess updatingSimpler backwards compatibilityLeak less intent
![Page 22: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/22.jpg)
Server
Frontends pass messagesWorkers do the real workEverything is asynchronousQueue work on the serverGRR ‘Cronjobs’ perform regular tasks
![Page 23: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/23.jpg)
Datastore
Abstracted: easy to switchMySQL Advanced | SQLite (sharded)Versioned Data -> axis of time
![Page 24: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/24.jpg)
Demo: Settings
Datastore.implementationClient.control_urls
Note: lines highlighted in blue are modified from defaults.
![Page 25: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/25.jpg)
Demo: VFS browse and download
Refresh, recursive refreshMultiple versions of /etc/lsb-releaseDownload new versionText/Hex views
![Page 26: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/26.jpg)
Exercise: VFS time travel
On client-ubuntu-trusty-m a malicious modification has been made to /home/gcastle/.bashrc
What was it?
![Page 27: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/27.jpg)
Solution: VFS time travel
Browse Virtual Filesystem -> fs -> os -> home -> gcastle -> .bashrc
Click Age window and download latest and oldest. Diff.
Find LD_PRELOAD line.
![Page 28: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/28.jpg)
GRR…It’s a botnet essentially
![Page 29: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/29.jpg)
![Page 30: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/30.jpg)
Authorization, Auditing
2-party authorization for machine accessDB loggingAudit eventsApproval emails with justifications
![Page 31: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/31.jpg)
Demo: Flows/hunts run recently
Show Statistics -> Server -> Flows|Hunts
![Page 32: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/32.jpg)
Fast, reliable, remote.
Advanced live forensics at scale.
![Page 33: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/33.jpg)
Filesystem/Registry artifacts (Sleuthkit)Memory artifacts (Rekall)From difficult-to-specify locations
Be really really good at collecting
![Page 34: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/34.jpg)
Demo: Running FileFinder
Search by:path, name, contents (literal / regex), time
For matches:download, hash, send to socket, just report existence
![Page 35: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/35.jpg)
Exercise: FileFinder
Pick a windows machine and:- Get a list of all DLLs (*.dll) in C:
\Windows\System32- Get the partition boot sector C:\$BOOT
Windows API will hide this! Requires TSK
- There is a file containing the string "malware" in C:\Temp. Try to find it.
![Page 36: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/36.jpg)
Solution: FileFinderFilesystem->File Finder:- path: C:\Windows\System32\*.dll- pathtype: OS- action: STAT
Filesystem->File Finder:- path: C:\$BOOT- pathtype: TSK- action: DOWNLOAD
![Page 37: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/37.jpg)
Solution: FileFinder cont.Filesystem->File Finder:- path: C:\Temp\*- pathtype: OS- condition: contents literal match = malware, FIRST_HIT- action: DOWNLOAD
![Page 38: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/38.jpg)
Windows Registry
Keys = Directories, Values = FilesSame operations supported!GlobbingContent match on values
![Page 39: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/39.jpg)
Exercise: RegistryFinder
Get the values for these run keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
(copy from http://pastebin.com/eijGRcFu)
Browse the registry VFS
![Page 40: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/40.jpg)
Solution: RegistryFinder
Registry->Registry Finder:keys path:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
![Page 41: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/41.jpg)
Memory Acquisition
Drivers for Win and OS XLinux is trickier:- /proc/kcore- or driver per kernel
![Page 42: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/42.jpg)
Demo: Memory Collector
Download a small chunk of memory
![Page 43: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/43.jpg)
Exercise: Grep raw memory
On a windows client, use the Memory Collector to find a short string (eg. “svchost”) in memory and inspect the context.Use action NONEAlso, just get the FIRST_HIT, not all of them
![Page 44: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/44.jpg)
Solution: Grep memory
Memory->Memory CollectorCondition: Literal match, FIRST_HITAction: NONE (reports the literal match and some context)
![Page 45: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/45.jpg)
Memory Forensics
Memory analysis frameworkBuilt into GRR clientLive memory analysis
![Page 46: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/46.jpg)
Demo: lsmod on ubuntu
![Page 47: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/47.jpg)
Exercise: Rekall lsof
Get a list of file handles from raw memory on a ubuntu machineUse lsof plugin
![Page 48: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/48.jpg)
Solution: Rekall lsof
Memory -> AnalyzeClientMemoryPlugins: lsof
![Page 49: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/49.jpg)
Hunting: flows on many machines
![Page 50: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/50.jpg)
Hunting: Outlier analysis
![Page 51: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/51.jpg)
Hunting: fleetcheck and pivot
![Page 52: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/52.jpg)
Demo: Hunt to collect notepad.exe
Download with FileFinderExport results as .zipSmart download: only unique files
![Page 53: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/53.jpg)
Exporting data for analysis
Heavy data analysis outside GRRHTTP RPC APIsExport plugin system: CSV <elasticsearch or your plugin of choice here>
![Page 54: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/54.jpg)
Hunts: Optional rate limiting
![Page 55: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/55.jpg)
Hunts: No limit, go fast
![Page 56: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/56.jpg)
Exercise: ListProcesses hunt
Get a list of Processes from all machines using ListProcesses flowLook at hunt stats:- Cpu used- Network used- Worst performers
![Page 57: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/57.jpg)
Solution: ListProcesses hunt
Hunt Manager -> + -> Processes -> ListProcessesRemove windows rule to run on all OSesPress play on the paused hunt
![Page 58: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/58.jpg)
Hunting: Malware inside .doc
Flash exploits embedded in office docsHow could we find these?
![Page 59: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/59.jpg)
Exercise: Hunt for flash inside docs
Find doc with embedded flash in ~\Downloads\
Use %%users.homedir%% for user’s homedirContains “ShockwaveFlash.ShockwaveFlash”
![Page 60: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/60.jpg)
Solution: Hunt for flash inside docs
Hunt Manager -> + -> Filesystem -> FileFinderPaths: %%users.homedir%%\Downloads\*.docCondition: literal match “ShockwaveFlash.ShockwaveFlash” FIRST_HITAction: Download
![Page 61: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/61.jpg)
Collection Problems
We mostly want to collect the same things, but:- Too many details to remember- No good way to share- Too much duplicate code
![Page 62: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/62.jpg)
As seen in the wildHardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default\History
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation
/Users/<user>/Library/Mail Downloads/
/home/user/.local/share/Trash/
![Page 63: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/63.jpg)
What do I do with these?HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default\History
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation
/Users/<user>/Library/Mail Downloads/
/home/user/.local/share/Trash/
![Page 64: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/64.jpg)
Common language for interpolation%%users.localappdata%%\Google\Chrome\User Data\*\History
HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation
%%users.homedir%%/Library/Mail Downloads/
%%users.homedir%%/.local/share/Trash/
![Page 65: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/65.jpg)
Artifactname: ApplicationEventLogdoc: Windows Application Event log.collectors:- collector_type: FILE args: {path_list: ['%%environ_systemroot%%\System32\winevt\Logs\AppEvent.evt']}conditions: [os_major_version >= 6]labels: [Logs]supported_os: [Windows]urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)']
![Page 66: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/66.jpg)
Artifact repository: get it here
~200 artifacts: github.com/ForensicArtifacts/artifactsIndependent and reusable by any toolUsed and maintained by usReview, bug reports, patches very welcome
![Page 67: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/67.jpg)
Demo: Collect Run Keys
![Page 68: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/68.jpg)
Exercise: Artifact Collector
Linux machines are beaconing to sysupdate81.appspot.comSuspect malicious cronjobUse AllLinuxScheduleFiles artifact to download cron filesDownload results, find malicious oneWhich machines was it on?
![Page 69: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/69.jpg)
Solution: Artifact Collector
Hunt Manager -> + -> Collectors -> ArtifaceCollectorFlowAllLinuxScheduleFilesGenerateZipDownload, unzip:grep -r “sysupdate” *find -type l -ls | grep [hash match from grep]
![Page 70: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/70.jpg)
What’s coming
Event triggered collection, powerful APIUsability improvementsSimple cloud server deploymentMore data export options
![Page 71: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/71.jpg)
Great, how do I try it?
Run the server docker imageOpen a browserDownload and install the client on a machine
![Page 72: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/72.jpg)
GRR (and friends) links
github.com/google/grrgithub.com/ForensicArtifacts/artifactsrekall-forensic.complaso.kiddaland.net/github.com/google/timesketchgithub.com/libyal/libyal/wiki/Overview
![Page 73: @mrgcastle Greg Castle - · PDF fileSetup test server/client ... Versioned Data -> axis of time. Demo: ... Simple cloud server deployment More data export options](https://reader036.vdocuments.site/reader036/viewer/2022062504/5a7907197f8b9a77088ec6fb/html5/thumbnails/73.jpg)
These slides
These slides and everything you need to run your own workshop will be published here:
https://github.com/google/grr-doc/blob/master/publications.adoc
Short link: https://goo.gl/GzsleU