2. UI Basics and Initial Configuration (Standard and Team)

This section outlines the basics of the UI and various settings that you may need to change before adding data. Additional configuration of a Team deployment is covered in Team Installation and Configuration.

2.1. UI Basics

2.1.1. The Welcome Screen

When you launch Cyber Triage, you’ll get a screen such as this. This is the Welcome screen.

../../_images/config_ui_welcome.png

From here, you can:

  • Add, delete, and edit incidents (see Incident Management)

  • Get an overview of system status on the right-hand side.

  • Use the top menu to get the collection tool, options panel, and provide feedback.

  • Search indicators from past incidents (see Global IOC Search)

2.1.2. Basic Application Flow and Navigation

The basic flow of the application is:

  • The Welcome screen shows a list of incidents and you will either open an existing one or create a new one.

  • The Incident Dashboard shows a list of hosts in an incident and provides additional capabilities at the incident-level (such as reporting and search)

  • The Host Dashboard allows you to dive deep into a single host within an incident.

There is a breadcrumb in the upper left. At any point, you can press “[close]” to go up to the previous level.

../../_images/config_ui_bread.png

2.2. Initial Configuration

In many cases, you can use Cyber Triage with no additional configuration. But, this section provides an overview of things to consider. Sections below provide the details for any that seem relevant to you.

2.2.1. Configuring for Network - PsExec Collections

Cyber Triage has built-in support to deploy its Collector via PsExec, but additional configuration is needed before the ‘Network-PsExec’ add host method can be used (Network - PsExec). Namely

  • PsExec must be configured

  • Ensure the target computer is configured

NOTE: Microsoft has dropped support for Windows XP with the latest versions of PsExec. If you are still using Windows XP and require the Network - PsExec functionality, you will need to find an older version of PsExec (2.34 or earlier). Contact our support team if you need to use PsExec on XP systems.

2.2.1.1. Configure PsExec

  1. Download PsTools

  2. Unzip the PSTools.zip file to a folder on your computer.

  3. Open the Cyber Triage Options panel from the opening Cyber Triage® window.

  4. Navigate to the General tab.

  5. Find the PsExec Settings area, choose the Browse button, and navigate to the folder that you extracted the contents into. Confirm that you read the PSTools End User License Agreement.

../../_images/options.jpg

Configuring PsExec tool

2.2.1.2. Services Required on Target System

The target system for Network - PsExec must have file sharing enabled so that PsExec can copy over the Collector.

2.2.1.3. Enable Local Accounts

If you want to use a local account on the target system (instead of a domain account), then you’ll need to make a change from the default settings in order to use Network - PsExec.

  1. Run the regedit.exe Windows program on the target computer.

  2. Navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System node.

  3. Right click on the System node to add a REG_DWORD value with a name of LocalAccountTokenFilterPolicy (no quotes) and a value of 1.

  4. Either reboot the computer or restart the “Server” service (LanmanServer) and the “Workstation” service (LanmanWorkstation). Either of these will ensure the new policy is used.

2.2.2. Customize File Collection

You can collect additional files beyond what Cyber Triage already collects. This is useful when you want to make sure you get logs from a certain application or from indicators of a recent attack.

The following terms are used in this process

  • File Rule: A set of criteria that, when matched, will cause the file to be collected.

  • File Rule Set: A set of file rules. The file will be collected when any rule matches. You can organize rules in any way that makes sense for you.

2.2.2.1. Adding Custom File Collection Rules

To add a rule, go to the Options panel and chose “File Collection Rules”. Rules need to be in a set, so create a set if none exist or you want to organize the new rule differently than the others.

Create a new set with New Set. You need to give it a unique name and can optionally give it a description.

../../_images/fileset_newset.png

Add New File Set

Once the set is selected, you can add a rule to it with New Rule.

There are different types of rules, which have different performance impacts.

  • Exact Match: If the full path is specified (parent folder and file name), these are fast lookups since the Collector knows where to look.

  • Fuzzy Match: If only part of the parent folder or file name are specified, then the rule will be applied to each file in the system. This requires the full file system scan to occur.

A rule has the following fields:

  • A unique display name

  • File Name: Can be full name, empty, or have wild cards. Details are below.

  • Parent Folder: Can be full name, empty, or have wild cards. Details are below.

  • Max File Size: Allows you to ignore files that are too big to collect.

  • Max File Age: Allows you to optionally ignore files that are old and likely not relevant to a recent attack. This field is number of days and is applied to the file’s creation date.

../../_images/fileset_newrule.png

Add New File Rule

The following are more detailed requirements for file name:

  • This field is required if folder name is not specified

  • Comparison is case-insensitive.

  • Can not include any of the symbols that are not allowed in files: ‘:’, ‘>’, ‘<’, ‘:’, ‘”’, ‘/’, ‘', ‘?’

  • Can include one or more ‘*’ wild cards, which will match 0 or more of any character.

  • If no file name is given, all files in any directory matching the folder name will be collected (non-recursive).

The following are more detailed folder requirements:

  • This field is required if file name is not specified

  • Comparison is case-insensitive

  • Forward slash is used to separate folder names.

  • Can not include any of the symbols that are not allowed in files: ‘>’, ‘<’, ‘:’, ‘”’, ‘', ‘?’

  • Can start with %USER_DIR% to match the standard Windows user folders or any non-standard user folders extracted from the registry (if present).

  • If not using %USER_DIR% the path must start with a forward slash

  • Folder names should not end with a slash (unless using a single slash for the root folder)

  • A ‘*’ wildcard that is not surrounded by forward slashes, will match 0 or more characters within a folder name.

    • /windows/system* will match /windows/system32

  • A single ‘*’ wildcard surrounded by forward slashes will match any full folder name, but not recursively:

    • /Windows/*/notepad.exe will match /Windows/System32/notepad.exe

    • /Windows/*/notepad.exe will not match /Windows/System32/foo/notepad.exe

  • A double ‘*’ wildcard surrounded by forward slashes will match any number of folder names:

    • /Windows/**/notepad.exe will match /Windows/System32/notepad.exe and /Windows/System32/foo/notepad.exe

  • If no folder name is given, all files with the specified file name will be collected.

Any wild card character will require the full file system scan. If you specify the full file name and the full folder path, then a targeted collection can be performed without the full file system scan.

Examples:

  • To collect a specific log file (fast collection):

    • File Name: logfile.txt

    • Folder Name: /ProgramData/ApplicationName/Logs

  • To collect all files in a specific folder newer than 60 days:

    • File Name: <Not specified>

    • Folder Name: /ProgramData/ApplicationName

    • Max File Age: 60

  • To collect all executables in AppData:

    • File Name: *.exe

    • Folder Name: %USER_DIR%/AppData/**

2.2.2.2. Using Custom File Collection Rules

After you update or create rules, you may need to take additional steps to ensure the collections use them.

  • Network - PsExec: The Collector will download the latest version of the rules when the collection starts.

  • Network - Manual, Cyber Triage File: The rules are copied to the extracted folder. You’ll need to extract the Collector again to get the latest version of the rules.

  • KAPE, Disk Image, Logical Files: Local copies of the latest rules are used.

2.2.3. Configure Cloud Storage Profiles

Cyber Triage can use cloud storage in two ways:

  • The Collector can automatically upload to these locations

  • The main application can directly download from these locations

Cyber Triage supports:

  • S3-based providers, including AWS.

  • Microsoft Azure

You should configure the cloud storage profiles before you extract the Collector so that it will have the proper configuration data.

2.2.3.1. Basic Cloud Storage Approach

Every organization uses cloud storage differently and has different requirements for how to manage cloud resources. With that in mind:

  • Cyber Triage will not create buckets, but we do provide guidance for how to do so. It is ultimately up to you to ensure they are secure and meet your organizations requirements.

  • Cyber Triage assumes there is a single bucket that all Collectors will upload to.

  • Cyber Triage is designed for credentials with minimal permissions. It uses two roles:

    • Collector Upload: This identity should be able to write to the bucket, but not read. If the threat actor compromises these credentials, they should not be able to read what else is in the bucket.

    • Bucket Manager: This identity can read the bucket. It will be used by the application to read data that was uploaded.

Refer to Cloud Storage Services for guidelines on configuring your service and these account types.

2.2.3.2. Cloud Storage Profiles

A Cloud Storage Profile defines a bucket with a set of credentials to access it. Namely:

  • The location and name of the bucket

  • “Upload” Credentials

  • “Manager” Credentials, which are optional

2.2.3.3. Adding a Cloud Storage Profile

To add a profile, go to the Options panel and choose “Cloud Storage’. You should make a profile for each set of credentials, buckets, and regions.

  • Choose “New Profile” and get the following dialog:

../../_images/cloud_new_profile_s3.png

  • Pick if it is S3-equivalent or Azure

For S3 buckets, configure:

  • Provider: Amazon AWS or another S3-equivalent

  • Region: If using AWS, you’ll need to pick the region your bucket is in.

  • Service URL: If using a non-AWS provider, you’ll need to specify the Service URL. It should have the region in the URL.

    • For example: S3.us-east-2.wasabisys.com

  • Bucket: The name of the bucket to save the results to. You will need to manually create this bucket. It should not be public.

  • Collector Upload: This identity is used to write data. It should NOT be able to read.

    • Access Key ID and Key: You will need to get an access key from the provider. These will be saved unencrypted in the configuration file.

    • Session Token: Optional. Required only if you are using a temporary access key. You can generate this via the AWS Command Line Tool:

  • Bucket Manager: This identity is used to read data and browse the bucket. It is optional. Choose “Do not use” if you are interested in only having Cyber Triage upload to the bucket.

  • Press the “Test Connection” button so that Cyber Triage can verify the data and check the scope of the identities.

For Azure buckets, you’ll see this dialog:

../../_images/cloud_new_profile_azure.png

Configure:

  • Container: You are responsible for making this. It should not be public.

  • Collector Upload: This account should be able to write, but NOT read. Note that this is possible only with premium Azure tiers.

  • Bucket Manager: This account should be able to read and browse the container. It is optional.

  • Press the “Test Connection” button so that Cyber Triage can verify the data and check the scope of the accounts.