Tuesday, August 12, 2014

3R4LR - Running Redline Remotely for Live Response

This blog post is a work in progress and I'd love to get feedback while writing it. 

So while this note appears on top, the blog post is not finished. 

(Please come back again later!)

This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1, showing how many details from artifacts can be collected with Redline.

Let's take a look at the steps necessary for running Redline Collector remotely.

  1. copy the collector to the host
  2. run the collector on the host
  3. compress the collection data (optional)
  4. copy the collection data back

I'm sure there are many ways to accomplish this, but here is the way I did it.

A short batch script, taking a hostname as parameter, uses PsExec to copy and execute a remote-script to the host. The remote-script does actually the steps described above.

  • read-only network share (for collector source)
    •  \\RO-Share-Host\Redline\
  • writable network share (to copy collection data back)
    •  \\RW-Share-Host\Data-Upload\
  • psexec rights (as admin) on remote host for user starting scripts
    • D:\Tools\Sysinternals>psexec -s \\hostname cmd /c whoami
      • --> nt authority\system

Considerations / Disadvantages:
  • needs privileged credentials for running the collector remotely
  • collector software and data overwrites unallocated space (changing harddisk from host under investigation)

Here are the two scripts, just slightly modified (anonymized) from the original previously used. (I hope I didn't introduce any typos or find/replace errors -- if so, please let me know)

REM ============================================================================
REM | Usage: run-redline.cmd hostname
REM ============================================================================

@echo off

REM  check if remote host is online
ping -n 1 %1 >NUL || echo Client %1 is offline. && goto FINISHED

echo Running Redline Collector remotely on System: %1
time /t

D:\Tools\Sysinternals\psexec.exe -accepteula \\%1 -s -c D:\Tools\Mandiant\Redline\run-redline-remote.cmd %1 >> E:\Data-Upload\Audits\%1_Redline_Log.txt

sleep 3

D:\Tools\7z.exe x -oE:\Data-Upload\Audits\%1 E:\Data-Upload\Audits\%1\audit_%1.7z

move E:\Data-Upload\Audits\%1_Redline_Log.txt E:\Data-Upload\Audits\%1\

dir /s E:\Data-Upload\Audits\%1

echo *** Finished Redline Collector script !!!
time /t

REM ============================================================================
REM | Usage: run-redline-remote.cmd hostname
REM ============================================================================

@echo off

REM create new dir for Redline Collector
mkdir C:\Redline
cd C:\Redline

echo Starting "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

REM copy Redline Collector executable and scripts from share
xcopy /E /C /Y /Q \\RO-Share-Host\Redline\Redline-Collector-Latest .
sleep 10
dir /s

rem ----------------------------------------------------------------------------
rem include Helper.bat   (using "call Helper.bat" didn't work)
rem ----------------------------------------------------------------------------

SETLOCAL enableextensions enabledelayedexpansion

ECHO Ensuring the proper working directory
cd %~dp0

REM Verify the files exist
SET agent64=.\x64\MIRAgent.exe
SET agent32=.\x86\MIRAgent.exe
SET script=MemoryzeAuditScript.xml
SET outputdir=.

IF NOT EXIST "%agent64%" GOTO :failed
REM IF NOT EXIST "%agent32%" GOTO :failed
IF NOT EXIST "%script%" GOTO :failed

IF "%1"=="" GOTO :usedefault
SET outputdir=%1
REM Check that the directory exists, and if not create it.
IF NOT EXIST "%outputdir%" CALL mkdir "%outputdir%"

SET args=-o "..\%outputdir%" -f -script "..\%script%" -encoding none -allowmultiple

SET agent=%agent32%
IF "%bitness%"=="x86" GOTO :agentset
IF "%bitness%"=="IA64" GOTO :unsupported
SET agent=%agent64%

ECHO %agent% %args%
call %agent% %args%

GOTO :end

ECHO Failure Encountered:
ECHO Agent and/or Redline Audit Script not found.
GOTO :end

ECHO Failure Encountered:
ECHO This Operating System is not supported by the Memoryze Agent
GOTO :end

ECHO Failure Encountered
ECHO %errorlevel% return from "%lastcmd%"
IF EXIST "%buildlog%" START notepad "%buildlog%"
GOTO :end

rem ----------------------------------------------------------------------------


echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

mkdir \\RW-Share-Host\Data-Upload\Audits\%1
rem copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection without compression
rem xcopy /E /C /Y %1 \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection WITH (7z) compression
7z.exe a audit_%1.7z %1
copy audit_%1.7z \\RW-Share-Host\Data-Upload\Audits\%1

sleep 20

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1

The scripts are provided as is without any warranty. Use at your own risk. They may be changed without notice.

I will update this post later  with a PoC running the scripts "remotely" from the VM-host on the infected VM from the previous post.

Stay tuned for more...