Tuesday, August 12, 2014

3R4LR - Running Redline Remotely for Live Response

This blog post is a work in progress and I'd love to get feedback while writing it. 

So while this note appears on top, the blog post is not finished. 

(Please come back again later!)


This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1, showing how many details from artifacts can be collected with Redline.

Let's take a look at the steps necessary for running Redline Collector remotely.

  1. copy the collector to the host
  2. run the collector on the host
  3. compress the collection data (optional)
  4. copy the collection data back

I'm sure there are many ways to accomplish this, but here is the way I did it.

A short batch script, taking a hostname as parameter, uses PsExec to copy and execute a remote-script to the host. The remote-script does actually the steps described above.

Prerequisites:
  • read-only network share (for collector source)
    •  \\RO-Share-Host\Redline\
  • writable network share (to copy collection data back)
    •  \\RW-Share-Host\Data-Upload\
  • psexec rights (as admin) on remote host for user starting scripts
    • D:\Tools\Sysinternals>psexec -s \\hostname cmd /c whoami
      • --> nt authority\system

Considerations / Disadvantages:
  • needs privileged credentials for running the collector remotely
  • collector software and data overwrites unallocated space (changing harddisk from host under investigation)

Here are the two scripts, just slightly modified (anonymized) from the original previously used. (I hope I didn't introduce any typos or find/replace errors -- if so, please let me know)






REM ============================================================================
REM | Usage: run-redline.cmd hostname
REM ============================================================================
 

@echo off

REM  check if remote host is online
ping -n 1 %1 >NUL || echo Client %1 is offline. && goto FINISHED

echo Running Redline Collector remotely on System: %1
time /t

D:\Tools\Sysinternals\psexec.exe -accepteula \\%1 -s -c D:\Tools\Mandiant\Redline\run-redline-remote.cmd %1 >> E:\Data-Upload\Audits\%1_Redline_Log.txt

sleep 3

D:\Tools\7z.exe x -oE:\Data-Upload\Audits\%1 E:\Data-Upload\Audits\%1\audit_%1.7z

move E:\Data-Upload\Audits\%1_Redline_Log.txt E:\Data-Upload\Audits\%1\

dir /s E:\Data-Upload\Audits\%1

:FINISHED
echo *** Finished Redline Collector script !!!
time /t


REM ============================================================================
REM | Usage: run-redline-remote.cmd hostname
REM ============================================================================

@echo off

REM create new dir for Redline Collector
mkdir C:\Redline
cd C:\Redline

echo Starting "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

REM copy Redline Collector executable and scripts from share
xcopy /E /C /Y /Q \\RO-Share-Host\Redline\Redline-Collector-Latest .
sleep 10
dir /s

rem ----------------------------------------------------------------------------
rem include Helper.bat   (using "call Helper.bat" didn't work)
rem ----------------------------------------------------------------------------

SETLOCAL enableextensions enabledelayedexpansion

ECHO Ensuring the proper working directory
%~d0
cd %~dp0

REM Verify the files exist
SET agent64=.\x64\MIRAgent.exe
SET agent32=.\x86\MIRAgent.exe
SET script=MemoryzeAuditScript.xml
SET outputdir=.
SET bitness=%PROCESSOR_ARCHITECTURE%

IF NOT EXIST "%agent64%" GOTO :failed
REM IF NOT EXIST "%agent32%" GOTO :failed
IF NOT EXIST "%script%" GOTO :failed

IF "%1"=="" GOTO :usedefault
SET outputdir=%1
:usedefault
REM Check that the directory exists, and if not create it.
IF NOT EXIST "%outputdir%" CALL mkdir "%outputdir%"

SET args=-o "..\%outputdir%" -f -script "..\%script%" -encoding none -allowmultiple

SET agent=%agent32%
IF "%bitness%"=="x86" GOTO :agentset
IF "%bitness%"=="IA64" GOTO :unsupported
SET agent=%agent64%
:agentset

ECHO %agent% %args%
REM PAUSE
call %agent% %args%

GOTO :end

:failed
ECHO.
ECHO.
ECHO Failure Encountered:
ECHO Agent and/or Redline Audit Script not found.
GOTO :end

:unsupported
ECHO.
ECHO.
ECHO Failure Encountered:
ECHO This Operating System is not supported by the Memoryze Agent
GOTO :end

:auditfail
ECHO.
ECHO.
ECHO Failure Encountered
ECHO %errorlevel% return from "%lastcmd%"
IF EXIST "%buildlog%" START notepad "%buildlog%"
GOTO :end

:end
REM PAUSE
ENDLOCAL
rem ----------------------------------------------------------------------------

 

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

mkdir \\RW-Share-Host\Data-Upload\Audits\%1
rem copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection without compression
rem xcopy /E /C /Y %1 \\RW-Share-Host\Data-Upload\Audits\%1

rem ** copy collection WITH (7z) compression
7z.exe a audit_%1.7z %1
copy audit_%1.7z \\RW-Share-Host\Data-Upload\Audits\%1

sleep 20

echo Finished "run-redline-remote.cmd" on System: %1 >> run-redline-remote.log
time /t >> run-redline-remote.log

copy run-redline-remote.log \\RW-Share-Host\Data-Upload\Audits\%1



The scripts are provided as is without any warranty. Use at your own risk. They may be changed without notice.

I will update this post later  with a PoC running the scripts "remotely" from the VM-host on the infected VM from the previous post.

Stay tuned for more...

Cheers,
@c_APT_ure

2 comments:

  1. I thought I'd post a comment. Using Windows Server 2008 R2 SP1 the script fails in a number of ways. Sleep comes back as an unrecognized command. Changing to timeout worked. But then, when I run-redline.cmd the script fails with an error about "Input redirection is not supported".

    If I run run-redline-remote.cmd directly, it starts to run, shows a whole bunch of output SVDP\Database\2013

    Then it gets to "Ensuring the proper working directory" followed by...
    "Failure Encountered:"
    "Agent and/or Redline Audit Script not found."

    "HOSTNAME: WARNING: The system cannot find the file specified."

    "Creating archive audit_HOSTNAME.7z"

    "WARNINGS for files:"
    "HOSTNAME : The system cannot find the file specified."

    Seems like something is wrong in the scripting. So far, I've gotten closer but not able to actually get this working.

    ReplyDelete
  2. Thanks anonymous for the comment. The script was developed for and used on Vista and Win7 to automate as much as possible.
    For other OS'es some tweaking and adjustments may be necessary.

    ReplyDelete