3.3.3. Add Over The Network - PsExec Launch¶

With Network - PsExec (previously called ‘Live Automatic’), Cyber Triage^® will push the Collector to a live system using PsExec and it will send its results back to Cyber Triage^® over the network.

This feature is not available in the Lite version.

To do this, you’ll need the following on the remote Windows system:

File and network sharing enabled
Administrator privileges

Refer to Network - PsExec Target: Listening Ports (Standard and Team) for details on network requirements and Configuring for Network - PsExec Collections for details on configuring the target systems.

Watch the Cyber Triage Basics Course PsExec video on this technique.

3.3.3.1. Adding a Single Live Host¶

To perform the collection on a single host, select the Network - PsExec icon. You will be presented with a panel to enter:

Host name of computer to collect from
User name, domain, and password for an account on the remote system that has administrator privileges

If you did not configure PsExec as described in Configure PsExec, then you will be prompted to do so.

../../_images/import_live_automatic_options.png — *Single Network - PsExec Options*¶

After pressing Continue, you will be prompted to choose:

Data types to collect (see Data Collection Types)
Malware scanner settings (see Malware Analysis Settings)

If this is your first time running the program, you may also be prompted by Windows or a security program to allow Cyber Triage^® to open a network port. You will need to allow this to happen so that the Collector can send data to Cyber Triage^® on TCP port 443.

See Configuring for Network - PsExec Collections if the administrator account on the remote system is a local account and you are having problems.

After the collection has started, you will be able to see the results. Proceed to Host-level Examination for an overview of the analysis techniques.

3.3.3.2. Adding Multiple Live Hosts¶

If you have a Team deployment of Cyber Triage^®, you can submit multiple host names to collect from. This allows you to enter a set of hosts, have basic data collected from them, and then you can prioritize what you review. To do this, use the Add Multiple button when entering host details.

../../_images/import_live_automatic_multiple.jpg — *Multiple Network - PsExec*¶

You can then enter a list of host names.

../../_images/2_7.jpg — *Add Multiple Host Names*¶

Cyber Triage^® will then validate the credentials with those host names and then queue them up. You can see progress from either the Incident Dashboard (which is where Cyber Triage^® will redirect you to) or by choosing the All Hosts button from the main panel.