14.5. Launch Cyber Triage via Command Line¶
14.5.1. Overview¶
You can launch Cyber Triage from the command line to create incidents, add hosts, and generate reports without having to use the GUI. The resulting incidents can be opened as normal using the Cyber Triage GUI.
14.5.2. Required Versions¶
The command line interface works on:
Standard Pro
Clients in a Team deployment
14.5.3. The Command Line Program¶
You will launch the same program as the GUI. By adding arguments, it will automatically perform the specified tasks.
In a command prompt, navigate to the Cyber Triage “bin” directory that contains the Cyber Triage executable. This is normally located at “C:\Program Files\Cyber Triage\bin”.
Here are some basic concepts of what arguments need to be specified:
You will always need to specify an incident to create or open
You will always need to specify –nogui –nosplash. They make sure that Cyber Triage runs without UI.
14.5.4. Creating and Opening Incidents¶
You will always need to either create or open an existing incident. Incident names must be unique. For example, running this command will create a new Demo Incident incident:
cybertriage64 --createIncident="Demo Incident" --nogui --nosplash
To open an existing incident:
cybertriage64 --openIncident="Demo Incident" --nogui --nosplash
14.5.5. Adding a New Host and Running Ingest¶
You can add a host to a new incident or an existing incident using the –addHost option. Host names must be unique. You can only add one host at a time.
When adding a host, all the following parameters must be specified:
–addHost=(Host Name) - Specify a unique name for the host
–addHostType=(Host type) - Specify the type of data being added (see list below)
–addHostPath=(Path to host file) - Full path to the host file, image, etc.
–addHostMalware=(Host malware configuration(s)) - Specify what level of malware analysis should be performed (see below)
14.5.5.1. Supported Host Types¶
The following host types are supported:
JSON - You have already run the agent on a host and have a JSON collection file (*.json, *.json_0, *.json_1, *.json.gz, *.json.gzip)
DiskImage - Disk image (*.e01, *.img, *.dd, *.001, *.aa, *.raw, *.bin, *.vhd, *.vmdk)
MemoryImage - Volatility memory image (*.mem, *.aff4, *.dmp, *.vmem, *.hpak, *.E01, *.img, *.bin, *.raw)
KAPE - Output of Kroll’s Artifact Parser and Extractor (KAPE) (*.vhd, logical files set)
14.5.5.2. Supported Malware Configurations¶
The following malware configurations are supported:
ImpHash - Query using a hash of the portable executable imports
Hash - Query using MD5 hashes to get analysis results (content not uploaded unless Upload option is selected as well)
Upload - Upload to server for analysis. If not selected, then files will be marked as suspicious (but not uploaded)
None - Do nothing
14.5.5.3. Usage Examples¶
The following example creates a new incident, adds a JSON host, queries for analysis results using MD5 hashes, and uploads to server for analysis:
cybertriage64 --createIncident="Demo Incident" --addHost="JSON Host" --addHostType="JSON" --addHostPath="C:\work\hosts\host.json" --addHostMalware="hash, upload" --nogui --nosplash
The following example opens an existing incident, adds KAPE “.vhd” output file as a new host, queries for analysis results using MD5 hashes, marks the malware items as “Suspicious” but does not upload them to server for analysis. Note that ingest will only run on the new host (“KAPE Host”), not the one already in the incident (“JSON Host”).
cybertriage64 --openIncident="Demo Incident" --addHost="KAPE Host" --addHostType="KAPE" --addHostPath="C:\work\hosts\host.vhd" --addHostMalware="hash" --nogui --nosplash
14.5.6. Opening an Existing Host¶
You can open an existing host using the –openHost option. You can only open one host at a time. This is useful if you want to generate a host-level report.
When opening a host, the following parameters must be specified:
–openHost=(Host Name) - display name of the existing the host
The following example opens an existing incident, and opens existing KAPE “.vhd” host:
cybertriage64 --openIncident="Demo Incident" --openHost="KAPE Host" --nogui --nosplash
14.5.7. Generating Reports¶
You can generate either an incident report or a host report from command line.
14.5.7.1. Generating a Host Report¶
You can generate a host report using the –generateHostReport option. There two times when this command is typically used:
In the same command invocation that adds the host. This will generate a report right after it adds and processes the host data.
In a different invocation, in which case you must specify –openHost to specify the host to report on.
When generating a host report, the following parameters must be specified:
–reportType=(Host report type) - supported host report types are discussed below
–reportPath=(Path to output directory) - full path to the directory where you want to store the report. A report subdirectory will be created (within that directory) to store the report.
14.5.7.2. Supported Host Report Types¶
The following host report types are supported:
HTML - Bad and Suspicious Items in HTML
CSV - All Items in CSV (Timeline)
JSON - All Items in JSON
BAD_JSON - Bad Items in JSON
JSONLINE - All Items in JSON Line (Timesketch)
ZIPBADFILES - Bad Files in a ZIP
HASH - All File SHA-256 hashes as text
IP - All IPs as text
MITRE_JSON - Bad and Suspicious Items in MITRE ATT&CK® Navigator JSON
14.5.7.3. Usage Examples¶
In this example we’re adding a new DiskImage host to an existing incident and generating an HTML host report at the end:
cybertriage64 --openIncident="Demo Incident" --addHost="Disk Host" --addHostType="DiskImage" --addHostPath="C:\work\hosts\host.E01" --addHostMalware="None" --generateHostReport --reportType="HTML" --reportPath="C:\work\reports" --nogui --nosplash
The following example opens an existing incident, opens an existing host named “KAPE Host”, and generates a JSON host report:
cybertriage64 --openIncident="Demo Incident" --openHost="KAPE Host" --generateHostReport --reportType="JSON" --reportPath="C:\work\reports" --nogui --nosplash
14.5.7.4. Generating an Incident Report¶
You can generate an incident report using the –generateIncidentReport option. This option can be run alone or at the same time as you’re adding a host. You can select which incident report type to export through –reportType option.
When generating an incident report, the following parameters must be specified:
–reportType=(Incident report type) - supported incident report types are discussed below
–reportPath=(Path to output directory) - full path to the directory where you want to store the report. A report subdirectory will be created (within that directory) to store the report.
14.5.7.5. Supported Incident Report Types¶
The following incident report types are supported:
HTML - Bad and Suspicious Items in HTML
CSV - All Items in CSV (Timeline)
JSON - All Items in JSON Line (Timesketch)
14.5.7.6. Usage Examples¶
In this example we’re adding a new DiskImage host to an existing incident and generating an HTML incident report:
cybertriage64 --openIncident="Demo Incident" --addHost="Disk Host" --addHostType="DiskImage" --addHostPath="C:\work\hosts\host.E01" --addHostMalware="None" --generateIncidentReport --reportType="HTML" --reportPath="C:\work\reports" --nogui --nosplash
The following example opens an existing incident and generates a JSON incident report:
cybertriage64 --openIncident="Demo Incident" --generateIncidentReport --reportType="JSON" --reportPath="C:\work\reports" --nogui --nosplash