16.4. Collect with Crowd Strike Real Time Response

You can deploy the Cyber Triage Collector tool with Crowd Strike using the Real Time Response feature. This allows you to collect the artifacts over the network without needing to use the PsExec-based approach that comes with Cyber Triage (see Network - PsExec).

Real Time Response is currently available with Falcon Insight.

16.4.1. Real Time Response Basics

The official Crowd Strike documentation should be referred to for details of the feature, but let’s cover the basic concepts:

  • Real Time Response gives you access to a command prompt on a remote system

  • The Crowd Strike server can store files that get pushed to the endpoint when a response session is started.

The basic approach for deploying Cyber Triage Collector will be to:

  • Edit the Cyber Triage Deployer script to meet your use case

  • Upload the Deployer script to the library in your Crowd Strike account

  • Create response sessions as needed and manually run the Deployer

16.4.2. Prepare Crowd Strike for Collection

There are three main preparation steps to make it easy to deploy the Cyber Triage Collector.

  1. Download the Deployer Powershell script from the website. This script will be what Crowd Strike runs and it is responsible for getting the Collector onto the system and running it.

  2. Configure the script as outlined in the Collector Deployer Powershell Script section. You’ll need to make decisions about where data will be sent, etc. More details are provided below.

  3. Upload the script to the Real Time Response library as outlined below.

16.4.2.1. Crowd Strike Configuration Suggestions

Each EDR has different features for deploying forensic collectors. Some special notes for Crowd Strike include:

  • It will kill a command, by default, if it does not finish in 30 seconds. So, the collector needs to be run as a background process so that it continues even if the original script is killed.

  • It will kill a session if you do not type something into it after 10 minutes.

  • It copies files into the C:\ drive, which means that output needs to be directed to somewhere else.

  • Crowd Strike will only copy files back that is 4GB or less. While rare, The Cyber Triage Collector output can be that large.

The Deployer script supports a variety of scenarios that you must pick from. We recommend:

  • Let the script download the collector from the Cyber Triage website as long as you are running the latest version of the software.

  • Have the script send data back directly to your Cyber Triage server. This gets you data the most quickly and it avoids you from having to guess when the collection is done.

  • If you can’t send it directly to your server, then you should configure it to upload to S3 or Azure.

16.4.2.2. Uploading the Powershell Script to Real Time Response Library

You can upload your Deployer script to your Crowd Strike console so that it can be more easily pushed out to endpoints. Before uploading the script, ensure you’ve edited it based on:

  • How the Collector will get onto the host

  • What data will be collected

  • Where data will be sent

As a reminder, you can run the Powershell script locally to make sure it works.

Nothing in the upload process is unique to Cyber Triage, but we will outline the basic Real Time Response ideas here:

  1. Navigate to “Response scripts and files” under the “Host Setup and Management” menu.

../../_images/integ_cs_setup1.png

  1. Press the “+Create Script” button

  2. A configuration dialog will appear.

    • Give it a name such as deploy_cyber_triage_collector (the same name as the Deployer script)

    • Specify the type as Powershell

    • Specify access consistent with your organizational policies

    • Copy in the modified Deployer script into the text area

../../_images/integ_cs_setup2.png

  1. After pressing “Create”, the script will be available as a custom script.

16.4.3. Initiate a Real Time Response-based Collection

Once the Deployer script has been uploaded to the library, you can use it in later response sessions.

  1. You want to choose the “Connect to host” feature on a device that you want to collect from. You can get to the hosts by navigating to them in the listing or from an alert.

../../_images/integ_cs_deploy1.png

  1. Once you get the command prompt, the needed command line can be automatically inserted by expanding the “Host Information” area with the button in the upper right.

../../_images/integ_cs_deploy2.png

  1. From there, choose “Scripts”, “Custom Scripts” and find “deploy_cyber_triage_collector” (or whatever you previously named it when you uploaded it).

../../_images/integ_cs_deploy3.png

  1. Press “Run Command”, which will automatically run it in the prompt:

../../_images/integ_cs_deploy4.png

  1. Because Crowd Strike will quickly kill any script that runs for for more than 30 seconds, the collector runs as a background process. You will need to periodically check in to see if it is still running.

If you configured the Deployer script to save data to a file, then you need to copy it off the endpoint when it is done. You can do this with the ‘get’ command (you may need to create a new session if the initial one timed out). The default location to save the data to is C:\windows\temp\file.json.gz. Note that Crowd Strike has a maximum file size of 4GB to transfer.