RTR using Falcon Crowdstrike

Real Time Response

Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below.

In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action.

You can also connect to a host from Hosts > Host Management.

Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.



Falcon has three Real Time Responder roles to grant users access to different sets of commands to run on hosts.

  • Real Time Responder - Read Only Analyst (RTR Read Only Analyst) - Can run a core set of read-only response commands to perform reconnaissance

  • Real Time Responder - Active Responder (RTR Active Responder) - Can run all of the commands RTR Read Only Analyst can and more, including the ability to extract files using the get command, run commands that modify the state of the remote host, and run certain custom scripts

  • Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.

RUNNING COMMANDS

On the host you are connected to, you can run commands from the list in the Run Commands tab of the Real Time Response window. Run the help command for a list of all available commands.

C:\> help


cat

Read a file from disk and display as ASCII or hex

cd

Change the current working directory

clear

Clear Screen

cp

Copy a file or directory

encrypt

Encrypt a file with AES-256

env

Get environment variables for all scopes (Machine / User / Process)

eventlog

Inspect event logs. Subcommands: backup, export, list, view

filehash

Generate the MD5, SHA1, and SHA256 hashes of a file

get

Upload a file to the CrowdStrike cloud

getsid

Enumerate local users and Security Identifiers (SID)

help

Get help on a specific command or subcommand

history

View History

ipconfig

Show network configuration information

kill

Kill a process

ls

Display the contents of the specified path

map

Map an SMB (network) share drive

memdump

Dump the memory of a process

mkdir

Create a new directory (access restricted to administrative groups)

mount

List mounted filesystem volumes

mv

Move a file or directory

netstat

Display network statistics and active connections

ps

Display process information

reg

Windows registry manipulation. Subcommands: delete, load, query, set, unload

restart

Restart target system

rm

Remove a file or directory

runscript

Run a PowerShell script

shutdown

Shutdown target system

unmap

Unmap an SMB (network) share drive

xmemdump

Dump the complete or kernel memory of a system

zip

Compress a file or directory into a zip file

RUNNING CUSTOM SCRIPTS 

On the Run Commands tab, you have two options to populate the command field to run a custom script:

  • Expand the session details panel from the right to see available custom scripts under Saved scripts. Click the name of any script to populate the command field with “runscript -CloudFile=”<Script_Name>” -CommandLine=””


  • Run the runscript command with one of the following flags:

    • CloudFile: Enter the name of an existing custom script already saved in the CrowdStrike cloud directly into the command line

    • Raw: Enter the script content directly into the command line. (RTR Administrator only). Enclose the entire script contents in triple backticks.

    • HostPath: Enter the file path of an existing custom script stored locally on the remote host (RTR Administrator only)

TESTING A CUSTOM SCRIPT

Test out potential response scripts before saving them. You can run any PowerShell command from the Edit & Run Scripts tab of a response session without saving. When you are ready to add it to your list of custom scripts, click Save.

CREATING A NEW CUSTOM SCRIPT

You can reach the "Create a custom script" dialog either from the Response Scripts & Files page or from within a Real Time Response session.

  • From the Response Scripts & Files page, click Create a script.

  • From a Real Time Response session, go to the Edit & Run Scripts tab and click Save.


Stay Tuned for More Updates....

Comments

Popular posts from this blog

Top Commands Mostly Used By System Administrator.

SECURITY OPERATION CENTRE

Damn Vulnerable Web Application - Part 1

Cyber Threat Intelligence

Collective Intelligence Framework v3 - Part 1

Top 20 Subdomains Search Engines

Collective Intelligence Framework v3 - Part 2

Security Architecture for Startup

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike