17.5. Collector Deployer Powershell Script¶
The Cyber Triage Collector Deployment Script is a Powershell script that can be used within EDRs and other Windows-based infrastructure to launch the Cyber Triage Collector program and collect endpoint data.
This section assumes that you are knowledgeable about:
Extracting the Collector collection tool (see Extracting the Collector)
Collector command line arguments (see Collector Command Line Arguments)
Required Collector permissions (it needs to run with admin privileges)
If you need a copy of the Deployer script, you can get it here.
17.5.1. Deployer Script Basics¶
The script needs to be configured based on your scenario. Some settings can be specified as command line arguments, but most are variables within the script.
- The script can be used from many types of EDRs. You’ll need to use this page and the EDR-specific page to perform a collection. Examples include:
You will need to get the deployment script onto the endpoint. After that, the script can download the remainder of the files or you can copy the additional files yourself.
The script can either block until the collection is done or it can return after it launches the Collector. This is because some EDRs have timeouts and the collection will be killed if the script blocks.
17.5.2. Configuration Concepts¶
The script will “work” right away, but it may not send data to a place that you can access. This section defines what you can change and what to expected.
There are three big decisions you need to make before running the deployer script:
How the Cyber Triage Collector will get on the host.
What kinds of data should be collected
Where the collected data will be sent
Each of these are settings in the script. To edit them, open the .PS1 file in a text editor and scroll down to the text that starts with:
######## Configuration ##########
Below that are four sections that mirror the three topics listed above, plus specifying which EDR you are using. For each section, you’ll need to either uncomment a line (by removing the “#”) or change the value in between the quotes.
You should read this section in this doc to understand what approach you want and then go to the script and follow its instructions.
Let’s review each concept in more detail.
17.5.2.1. Getting the Collector To The Target Host¶
The deployer script is a Powershell wrapper to launch CyberTriageCollector.exe, which does the actual collecting. You have three options to get the Collector onto the host:
Have the Powershell script download the EXE from a Cyber Triage site. This is the default behavior.
- Have the Powershell script download the EXE from YOUR site or file share. You can do this two ways:
Edit the script and specify the URL or UNC path
Or, specify the path as a
-collector_download
argument
- Have your EDR or other IT infrastructure copy the exe file over to the target host. To to this:
Edit the script so that the download argument is an empty string (i.e. “”)
Have your EDR copy the EXE into the same folder that the Deployer Powershell script will be run from. Some EDRs run the script from the folder the script is copied into. Others run from a different folder. Refer to the EDR’s specific page for our experiences.
Options 2 and 3 require that you have a copy of CyberTriageCollector.exe. You get that from within Cyber Triage (see Extracting the Collector).
17.5.2.2. Specifying What Data To Collect¶
By default, all of the relevant Cyber Triage data is collected. You can use any of the usual Collector settings to reduce the amount of data, such as:
--fast
to skip the full file system scan--skip_file_contents
to keep file contents out of the output and report only hashes--dtypes
to specify specific data types
For example, specify --fast --skip_file_contents
to focus on data from the registry and other source files and keep exes out of the output. Note that the arguments must be in a Powershell array.
To see all of the argument options, refer to Collector Command Line Arguments.
You can specify these settings as the config_collect_args
variable in the script.
17.5.2.3. Configuring Where to Send Data¶
Cyber Triage needs to know where to send the collected data. There are three main options:
Network: You can have the collector send data to a waiting Cyber Triage Team Server. You need to specify server information.
Cloud (S3 or Azure): You can have the collector upload data to an S3 bucket or Azure blob. You then copy the file from there. You need to specify the cloud credentials.
File: You can have the collector send the data to a file and then you can copy it off. The file can be local or on a network share. Note that many EDRs have a maximum file size that you can copy from a host. This is the default.
Each approach has its own section below to provide details about how to get the needed configuration settings.
17.5.2.3.1. Getting Network Server Info¶
If you are running a Cyber Triage Team, you can have the Collector send data back to the server.
Refer to the instructions in Collect with EDR about how to enable the streaming mode and where to find the server name, certificate hash, and server key.
Edit the script to uncomment the config_output
line that mentions servers and edit it appropriately. An example is:
$config_output = @("--serverkey", "12345678", "--server", "cybertriage.acme.com", "--cert_hash", "a1b2c3d4")
17.5.2.3.2. Getting Cloud Storage Configuration¶
The Collector needs a configuration file if you want to upload data to cloud storage. You can get this configuration file by using the Extract Collector feature from within Cyber Triage. You can find those instructions in Extracting the Collector.
The above process will give you a folder with an CloudConfig.cfg file (it was called S3Config.cfg in versions before 3.10).
You now have two options:
- Place that file on a file share or web server so that the Collector can download it. If you do this, you need to tell the Collector where to find it. Note that the script may not have permissions to file shares. You can either:
Edit script so that config_s3_cfg_download has that URL
Or, pass it as an argument as
-s3_cfg_download
Have your EDR copy the configuration file into the folder that the script will run in (i.e. the same place the EXE was copied into). If you do this, you’ll need to edit the script so that you uncomment the ‘config_output’ string that refers to the CloudConfig.cfg setting.
17.5.2.3.3. Saving To File¶
You can also save to a file and either access it via file share or have your EDR copy it back.
To do this, uncomment the config_output
script line that has --output PATH
and edit the path accordingly.
NOTE that some EDRs limit the file size that can be copied to under 2GB. Most Cyber Triage collections are less than that. If your collection is too big, you can either upload it to S3 or use a collection setting such as --skip_file_contents
to not collect file content.
17.5.3. Troubleshooting¶
Each EDR is different with respect to how much info they will give you as the program is running.
If the script blocked until the collection completed, then you should see any error messages on the output. If the script launched the Collector as a background process, then there could be a ct_err.txt file in the folder that the script ran from with information.
Key things to remember:
The EXE needs to create some temporary files and output files. Make sure the Collector has permissions run from where it runs from. Do not run things from
c:\\windows\\system32
(that is where some EDRs copy the program to).You can run the script locally from within Powershell to debug any code changes.
Make sure your EDR has permissions to access any network shares you use.