19.4.2. Collect with SentinelOne Singularity

You can deploy the Cyber Triage Collector tool via SentinelOne Singularity if you have RemoteOps or RemoteShell capabilities. This allows you to collect the artifacts over the network without needing to use PsExec.

The approach is different for RemoteOps vs Remote Shell, so there are different sections below. Note that some Singularity deployments do not have either of these features.

19.4.2.1. Deployer Script

Regardless of which deployment you have, we recommend that you use the Cyber Triage Deployer script to deploy Cyber Triage. It takes care of Sentinel1-specific settings and simplifies each collection once it is configured.

Some special things to note about RemoteOps:

• RemoteOps doesn’t store configuration files in the script library. If you are using cloud storage or custom file rules, you’ll need another place to store them.

• RemoteOps has a small max file size for files that it can copy off the endpoint. So, we do not recommend that you save files to disk.

• RemoteOps has no interactive feature. Everything needs to be done as part of a script.

• NOTE: The 3.14 release in April 2025 will make S1 easier to use with cloud storage since the details can be supplied on the command line.

Remote Shell has some limitations to be aware of:

• It doesn’t offer a way to push the collector or config files to the endpoint. You’ll need to manually download them, copy them from a file share, or have the script download them.

• It doesn’t offer a way to get data from the host. You’ll need to have the data uploaded to S3, to a Cyber Triage Server, or use the PowerShell Copy-Item to copy the output to another location.

Refer to Configure the Collector Deployer Powershell Script for getting and configuring the script.

19.4.2.2. RemoteOps

RemoteOps is an add-on that allows you to run PowerShell scripts on multiple hosts and maintain a script library. The basic approach to deploying Cyber Triage is to customize our Deployer Powershell script and upload it to RemoteOps library. You can then push that uploaded script to whichever host you want to collect from.

19.4.2.2.1. Configure RemoteOps for Collection

There are gwo main steps to making sure RemoteOps is ready to deploy the collector.

1. Download and configure the Deployer Powershell script as outlined above.

2. Upload the script to the RemoteOps library as outlined below.

19.4.2.2.1.1. Uploading the Deployer to RemoteOps Library

You can upload your Deployer script to your S1 script library so that it can be more easily pushed out to endpoints.

Before uploading the script, we recommend you’ve run it locally to ensure there are no syntax errors.

Uploading the deployer script is the same as any other Powershell script. Nothing in this process is unique to Cyber Triage, but we will outline the basic ideas here:

• Press the “Upload New Script” button from the RemoteOps section

• Give it a name, such as “Deploy Cyber Triage Collector”. You need to choose that it runs on Windows and can choose “Artifact Collection” for the Type.

• Next, navigate to your edited script. You can keep the ZIP file option unchecked.

• On the settings panel, first update the timeout to be at least 10800 seconds (3 hours). This is very important. Otherwise, the Collector will be killed. Next, if you intend to use command line arguments for download paths and other settings, check the “Input is Required” option.

19.4.2.2.2. Start a RemoteOps Collection

Once the deployer script has been uploaded to the RemoteOps library, you can simply launch it on a given host.

To run the Collector on a specific host:

1. Pick the endpoint in the Sentinels section.

2. Choose Actions -> Response -> Run Script

3. Choose the Cyber Triage Deployer Script

4. When S1 asks about inputs and outputs:

   • If you configured the script to take inputs, then they should be entered here. These will be appended to the command line as arguments.

   • The output should be set to “None”. S1 will only support outputs less than 180MB. You can have S1 automatically copy the file if you keep it small.

5. The default maximum time should still be 10,800 seconds from the setup. You can keep that.

After you press Submit, you’ll see the progress under Automation / Tasks.

19.4.2.3. S1 Remote Shell

For the Sentinel One users without RemoteOps, you can deploy Cyber Triage if you have the Remote Shell feature, which gives you a shell on a given host. This section will outline how to use that feature to deploy the Cyber Triage Collector.

The biggest challenge with Remote Shell is that it does not have a script library. So, you are responsible for getting files to and from the host.

19.4.2.3.1. Configure S1 Remote Shell

Because there is no script library, the main setup for Remote Shell is the Deployer script. See the section above for details on that.

Save the Deployer script “somewhere” so that it can be later downloaded or copied. Examples include: * At a URL, such as an S3 bucket or internal server * A file share that the S1 agent will have read access to

19.4.2.3.2. Start a S1 Remote Shell Collection

When you want to start a collection:

1. Navigate to the host in the “Sentinels” section and choose Actions -> Response -> Remote Shell

2. Enter the needed passwords and you’ll get a shell.

3. It should start in the c:\\windows\\temp folder. If not, you need to change to a folder that you can write to. Download your edited script by typing in something like:

Invoke-Webrequest -URI http://yourserver/deploy_cyber_triage_collector.ps1

or

Copy-Item \\UNC\Path\deploy_cyber_triage_collector.ps1

4. Run the .\deploy_cybertriage_collector.ps1 script. It will launch the Collector as a background process.

5. The RemoteShell will timeout after 30 minutes. You may need to restart it. You can check status by running .\deploy_cybertriage_collector.ps1 -status.

6. To copy output from the system (if you did not send it to cloud or a server), you can use Copy-Item to copy the file from the temp folder to a file share.