14.4. Collector Deployer Powershell Script

The Cyber Triage Collector Deployment Script is a Powershell script that can be used within EDRs and other Windows-based infrastructure to launch the Cyber Triage Collector program and collect endpoint data.

This section assumes that you are knowledgeable about:

• Extracting the Collector collection tool (see Extracting the Collector for Live Collections)

• Collector command line arguments (see Collector Arguments)

If you need a copy of the Deployer script, you can get it here.

14.4.1. Deployer Script Basics

• The script needs to be configured based on your scenario. Some settings can be specified as command line arguments, but most are variables within the script.

• The script can be used from many types of EDRs. You’ll need to use this page and the EDR-specific page to perform a collection. Examples include:

  • Collect with SentinelOne Singularity

• You will need to get the deployment script onto the endpoint. After that, the script can download the remainder of the files or you can copy the additional files yourself.

• The script can either block until the collection is done or it can return after it launches the Collector. This is because some EDRs have timeouts and the collection will be killed if the script blocks.

14.4.2. Configuration Concepts

The script will “work” right away, but it may not send data to a place that you can access. This section defines what you can change and what to expected.

There are three big decisions you need to make before running the deployer script:

1. How the Cyber Triage Collector will get on the host.

2. What kinds of data should be collected

3. Where the collected data will be sent

Each of these are settings in the script. To edit them, open the .PS1 file in a text editor and scroll down to the text that starts with:

######## Configuration  ##########

Below that are four sections that mirror the three topics listed above, plus specifying which EDR you are using. For each section, you’ll need to either uncomment a line (by removing the “#”) or change the value in between the quotes.

You should read this section in this doc to understand what approach you want and then go to the script and follow its instructions.

Let’s review each concept in more detail.

14.4.2.1. Getting the Collector To The Target Host

The deployer script is a Powershell wrapper to launch CyberTriageCollector.exe, which does the actual collecting. You have three options to get the Collector onto the host:

1. Have the Powershell script download the EXE from a Cyber Triage site. This is the default behavior.

2. Have the Powershell script download the EXE from YOUR site or file share. You can do this two ways:

   • Edit the script and specify the URL or UNC path

   • Or, specify the path as a -collector_download argument

3. Have your EDR or other IT infrastructure copy the exe file over to the target host. To to this:

   • Edit the script so that the download argument is an empty string (i.e. “”)

   • Have your EDR copy the EXE into the same folder that the Deployer Powershell script will be run from. Some EDRs run the script from the folder the script is copied into. Others run from a different folder. Refer to the EDR’s specific page for our experiences.

Options 2 and 3 require that you have a copy of CyberTriageCollector.exe. You get that from within Cyber Triage (see Extracting the Collector for Live Collections).

14.4.2.2. Specifying What Data To Collect

By default, all of the relevant Cyber Triage data is collected. You can use any of the usual Collector settings to reduce the amount of data, such as:

• --fast to skip the full file system scan

• --skip_file_contents to keep file contents out of the output and report only hashes

• --dtypes to specify specific data types

For example, specify --fast --skip_file_contents to focus on data from the registry and other source files and keep exes out of the output. Note that the arguments must be in a Powershell array.

To see all of the argument options, refer to Collector Arguments.

You can specify these settings as the config_collect_args variable in the script.

14.4.2.3. Configuring Where to Send Data

Cyber Triage needs to know where to send the collected data. There are three main options:

1. Network: You can have the collector send data to a waiting Cyber Triage Team Server. You need to specify server information.

2. S3: You can have the collector upload data to an S3 bucket. You then copy the file from there. You need to specify the S3 credentials.

3. File: You can have the collector send the data to a file and then you can copy it off. The file can be local or on a network share. Note that many EDRs have a maximum file size that you can copy from a host. This is the default.

Each approach has its own section below to provide details about how to get the needed configuration settings.

14.4.2.3.1. Getting Network Server Info

If you are running a Cyber Triage Team, you can have the Collector send data back to the server.

Refer to the instructions in Collect with EDR about how to enable the streaming mode and where to find the server name, certificate hash, and server key.

Edit the script to uncomment the config_output line that mentions servers and edit it appropriately. An example is:

$config_output = @("--serverkey", "12345678", "--server", "cybertriage.acme.com", "--cert_hash", "a1b2c3d4")

14.4.2.3.2. Getting S3 Configuration

The Collector needs an S3 configuration file if you want to upload data to an S3 bucket. You can get this configuration file by using the Extract Collector feature from within Cyber Triage. You can find those instructions in Extracting the Collector for Live Collections.

The above process will give you a folder with an S3Config.cfg file.

You now have two options:

1. Place that file on a file share or web server so that the Collector can download it. If you do this, you need to tell the Collector where to find it. Note that the script may not have permissions to file shares. You can either:

   • Edit script so that config_s3_cfg_download has that URL

   • Or, pass it as an argument as -s3_cfg_download

2. Have your EDR copy the configuration file into the folder that the script will run in (i.e. the same place the EXE was copied into). If you do this, you’ll need to edit the script so that you uncomment the ‘config_output’ string that refers to the S3Config.cfg setting.

14.4.2.3.3. Saving To File

You can also save to a file and either access it via file share or have your EDR copy it back.

To do this, uncomment the config_output script line that has --output PATH and edit the path accordingly.

NOTE that some EDRs limit the file size that can be copied to under 2GB. Most Cyber Triage collections are less than that. If your collection is too big, you can either upload it to S3 or use a collection setting such as --skip_file_contents to not collect file content.

14.4.3. Troubleshooting

Each EDR is different with respect to how much info they will give you.

If the script blocked until the collection completed, then you should see any error messages on the output. If the script launched the Collector as a background process, then there could be a ct_err.txt file in the folder that the script ran from with information.

Key things to remember:

• The EXE needs to create some temporary files and output files. Make sure the Collector has permissions run from where it runs from. Do not run things from c:\\windows\\system32 (that is where some EDRs copy the program to).

• You can run the script locally from within Powershell to debug any code changes.

• Make sure your EDR has permissions to access any network shares you use.