Collecting data from endpoints

A critical step in the incident response process is the collection of data from compromised endpoints for further forensic analysis. Threat Response provides a feature called Live Response that you can use to collect specific information from endpoints to use for forensic analysis, data correlation, and to investigate potentially compromised systems with a customizable and extensible framework.

Live Response collects forensic information from endpoints, and transfers the results to a network location that you specify in a package. The Live Response package contains configuration files that identify the data to collect, and where to copy the data. Specify the data that you want to collect from endpoints, and the network destination to save the collected files.

Destinations

A destination is a location to save forensic data. The server that receives information from Live Response can be an Amazon S3 Bucket, or a server that communicates over SFTP, SCP, or SMB (Windows only - SMB destinations are not included in Live Response packages for macOS and Linux.) protocols.

For SSH (SFTP/SCP) destinations, a user with write access to the share on the destination is required. Consider modifying the /etc/ssh/sshd_config file on the server to allow only SFTP or SCP access. A best practice is to use Linux SFTP/SCP destinations for SCP/SFTP transfers.

The key exchange algorithms supported by Live Response for SSH destinations include:

  • [email protected]
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1

At least one of these algorithms must be supported by the server for SSH (SFTP/SCP) destinations.

For an SMB copy location, the system account is used. SMB shares work with domain joined endpoints. Either the specific endpoint must have write access, or the domain computers group must have write access. Required advanced permissions:

  • Create files / write data
  • Create folders / append data
  • Write attributes

For Amazon S3 Bucket copy locations, ensure that clients are synchronized with a time server. Transfers fail if the client time differs from the server time by more than 15 minutes.

For more information on using Amazon S3 Buckets with Live Response, see How to create an AWS S3 Bucket for use with Live Response (login required).

Do not use SMB transfer destinations when a system has been quarantined by Tanium. Live Response uses domain authentication for transfers. When a system is quarantined it cannot reauthorize with the domain and authentication fails.

  1. From the Threat Response menu, click Management > Live Response. Click Destinations. Click Create Destination.
  2. In the General Information section, provide a name and description for the destination.
  3. Select Enable to enable the destination. Enabling a destination makes the destination available to use to collect endpoint data.
  4. Select a destination type. Available destination types are S3, SSH, and SMB. The destination type that you select determines the types of required setting information. Refer to destination types for more information.
  5. Click Save.

Destination types

Different types of destinations require different settings.

There is no option for disabling hostkey verification for SSH destinations in Live Response for Threat Response.

S3 Destinations

For S3 destinations, the following settings are required:

SettingDescription

Bucket

The name of the S3 Bucket. When using an S3 bucket as a destination make sure that clients are synchronized with a time server. Transfers fail if the client time differs from the server time by more than 15 minutes.

Access Key ID

An ID that corresponds with a secret access key. For example, AKIAIOSFODNN7EXAMPLE

Secret Access Key

A secret key that corresponds with an access key ID. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY. Manage your access keys as securely as you do your user name and password.

When you create access keys, you create the access key ID and secret access key as a set. During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you do not download the key or if you lose the key, you can delete the access key and then create a new one.

Region An explicitly defined S3 region.
HostThe fully qualified domain name of the host.
PortThe port to use for the connection for the destination. The default is 443.
Use SSLSSL encryption is enabled.
Force Path Style TypesForces API calls to use path-style URLs where the bucket name is part of the URL path for accessing buckets.
Connection TimeoutThe amount of time to attempt to establish a connection.
Remote PathA path on the destination where data is collected.

SSH Destinations

For SSH destinations, the following settings are required:

SettingDescription

Protocol

Select SFTP or SCP as the protocol to transfer collected files to the destination.

Authentication Type

Private Key or Password. The type of protocol that you select determines whether you are prompted to provide a private key or a password to authenticate with the destination.

Host

The fully qualified domain name of the host.

Port The port to use for the SSH connection for the destination. The default is 22.
UsernameThe user name for the connection to the destination.
Password or Private Key The password for the user name, or a private key to authenticate the connection to the destination. An RSA key must be base64 encoded before you enter it into the private key field.

In PowerShell you can convert to base64 encoding using the following command:

[Convert]::Tobase64String([System.IO.File]::ReadAllBytes('<filepath>'))

On macOS and Linux you can convert to base64 encoding using the following command:

cat <filepath> | base64 -w 0

Although the normal openSSH format is assumed to be base64, encode the entire key again before uploading.


Known Hosts The content of an SSH known hosts file.
Connection TimeoutThe amount of time to attempt to establish a connection.
Remote PathA path on the destination where data is collected. This path is relative to the home directory of the present user. Absolute paths are not supported.

SMB Destinations

The SMB transfer protocol is only supported on Windows operating systems. SMB destinations are not included in Live Response packages for macOS and Linux.

For SMB destinations, the following settings are required:

SettingDescription
Universal Naming Convention

The UNC path of the destination.  For example, \\server\folder

Collections

A collection defines the data to collect from an endpoint. The following configurations are provided with Live Response:

  • Standard Collection: Use for default data. The standard collection contains file collectors to collect specific files from endpoints. See File Collector Sets for a reference of the file collectors that are contained in each type of collection. The following data is captured by default, and is configurable in the standard collection:
    • ProcessDetails
    • ModuleDetails
    • DriverDetails
    • PFPrefetch
    • PFAmcache
    • PFShimcache
    • PFShellLink
    • PFScheduledJob
    • ScheduledTasksDetails

    • PFRecentFileCache
    • PFUserAssist
    • NetworkConnectionDetails
    • HandleDetails
    • Autoruns
  • Extended Collection: Use to collect the same data as the standard collection, plus more file based artifacts, such as the kernel, the Master File Table, USN Journal, event logs, registry hive files, and so on. The extended collection contains file collectors to collect specific files from endpoints. See File Collector Sets for a reference of the file collectors that are contained in each type of collection. The following data is configurable in the extended collection:
    • Process details
    • Module details
    • Driver details
    • Prefetch
    • Amcache
    • Shim cache
    • Scheduled tasks
    • Recent files
    • Network connections
    • Process handle details
    • Autoruns details
    • Hosts file

    • Standard and Master Boot Record
    • Master File Table
    • USN Journal, Kernel
    • Registry Hives
    • User Profiles
    • Event Logs
    • Prefetch files
    • Chrome user data
    • Recorder database (if present)
    • Index Database (if present)

The option to Collect Recorder Database Snapshot enables you to collect a snapshot of either recorder.db or monitor.db from endpoints. Collect Recorder Database Snapshot creates a snapshot of a recorder database - whether or not it is encrypted - and adds the snapshot to the collection. The snapshot that this module creates is removed from the endpoint when the collection has completed. By default, recorder database snapshots are saved in a folder named RecorderSnapshot on a path that corresponds with the name of the endpoint. For example, <base_directory>\<endpoint_name>\collector\RecorderSnapshot\<database_name>.db.

  • Memory Collection: Use for memory acquisition. The memory collection contains file collectors to collect specific files from endpoints. See File Collector Sets for a reference of the file collectors that are contained in each type of collection. Memory data is configurable in the memory collection.

You can create a custom configuration to collect specific data from endpoints.

  1. From the Threat Response menu, click Management > Live Response. Click Collections. Click Create Collection.
  2. In the General Information section, provide a name and description for the collection.
  3. Select Enable to enable the collection. Enabling a collection makes the collection available to use to collect endpoint data.
  4. Select the modules that you want to include in the data collection. A module is a functional area of forensic investigation. For example, the Network Connections module collects data that is helpful to understanding network connections that the endpoint has been involved in. The operating system icons next to each module show the operating systems to which the modules apply.
  5. Under Script Sets, select the script sets that you want to include in the collection. See Script Sets for more information.
  6. Under File Acquisition, select the Tanium File Collectors and User Defined File Collectors that you want to include in the collection. See File Collectors for more information.
  7. Add any Ad-hoc file collectors that you want to include in the collection. Ad-hoc file collectors are not part of a file collector set. You can use Ad-hoc file collectors to collect any additional files that are relevant to a specific collection.
    1. Click Add File Collector.
    2. Provide a name for the file collector.
    3. Provide a path for files to collect. Paths support environment variables and regular expressions. For more information, see Regular expressions and environment variables.
    4. Provide a file pattern for the files to collect. File patterns support regular expressions. For more information, see Regular expressions and environment variables.
    5. Specify the maximum depth of directories to recurse from the path you provided. 
    6. Specify the maximum number of files to collect. 
    7. Select Raw to preserve the format of the files that are collected. 
    8. Select the operating systems from which you want the file collector to collect files. 
    9. Click the check mark in the top right to save the file collector.

  8. Click Save.

File Collector sets

File collector sets to define the types of files that you want to collect from endpoints. For example, you can select all files of a specific type, or files that reside on a specific path. Live Response on Windows collects alternate data streams. The name of the alternate data stream is appended to the regular data stream preceded by an underscore. For example, if an alternate data stream named hidden_datastream exists for a file named hosts, this alternate data stream would be collected as <path>\hosts_hidden_datastream.

When setting a maximum recursive depth, enter -1 to represent unlimited.

File Collector
set
File CollectorFeatured in
Collection
Operating
System
PathFile PatternMaximum
recursive
depth
Maximum
files to
collect
Hosts FileWindows Hosts FileStandard, ExtendedWindows%systemdrive%\
windows\system32\
drivers\etc
(^hosts$)11
Non-Windows Hosts File

Standard, Extended

Linux, Mac/etc(^hosts$)11
Etc Folder TreeEtc

Standard, Extended

Linux, Mac/etc.*15Unlimited

Shell History FilesPowerShell HistoryStandard, ExtendedWindows%userprofile%\
AppData\Roaming\
Microsoft\Windows\
PowerShell\PSReadline\
^ConsoleHost_history.txt$01
Bourne Again (bash) Shell HistoryStandard, ExtendedLinux, Mac$HOME^\.bash_history$01
Bourne (sh) Shell HistoryStandard, ExtendedLinux, Mac$HOME^\.sh_history$01
Bourne Again (bash) SessionsStandard, ExtendedMac$HOME/.bash_sessions.*history.*15Unlimited
Secure Shell (SSH) FilesUser's Known HostsStandard, ExtendedLinux, Mac$HOME/.ssh^known_hosts$01
User's Authorized KeysStandard, ExtendedLinux, Mac$HOME/.ssh^authorized_keys$01
Current SSH UsersStandard, ExtendedLinux, Mac/var/run^utmp.*01
SSH Logon LogoffStandard, ExtendedLinux/var/log^wtmp.*0Unlimited
Failed SSH LogonStandard, ExtendedLinux/var/log^btmp.*0Unlimited
SSH Last Logged On UsersStandard, ExtendedLinux/var/log^lastlog$0Unlimited
SSH Daemon ConfigurationStandard, ExtendedLinux, Mac/etc/ssh^sshd_config$0Unlimited
SSH Client ConfigurationStandard, ExtendedLinux, Mac/etc/ssh^ssh_config$0Unlimited
Systemd Folder TreeSystemdStandard, ExendedLinux/etc/systemd/system.*15Unlimited
Kext DetailsKext DetailsStandard, ExtendedMac/var/db/
SystemConfiguration
^KextPolicy$15Unlimited
Kext Details (v11+)Standard, ExtendedMac/var/db/
SystemPolicyConfiguration
^KextPolicy$15Unlimited
Master File TableWindows Master File TableExtendedWindows%systemdrive%(\$MFT$)11
UsnJrnlUsnJrnlExtendedWindows%systemdrive%\$Extend(%.UsnJrnl$)11
KernelWindows KernelExended, MemoryWindows%systemdrive%\windows\
system32\
ntoskrnl\.exe11
System Registry HivesWindows System Registry HivesExtendedWindows%systemdrive%\windows\
system32\config\
((^system$)|(^security$)|(^software$)|(^sam$))14
User Registry HivesWindows User Registry HivesExtendedWindows%userprofile%\(^ntuser\.dat$)2Unlimited
Windows Event LogsWindows Event LogsExtendedWindows%systemdrive%\windows\
system32\winevt\logs\
.*\.evtx12000
Windows Prefetch FilesWindows Prefetch FilesExtendedWindows%systemroot%\prefetch\(.*\.pf)|(layout\.ini)|(.*\.db)|(pfsvperfstats\.bin)1Unlimited
Chrome User DataWindows Chrome User Data - CacheExtendedWindows%LOCALAPPDATA%\Google\
Chrome\User Data\
Default\Cache\
.*0Unlimited
Windows Chrome User Data - Local StorageExtendedWindows%LOCALAPPDATA%\Google\
Chrome\User Data\
Default\Local Storage\
.*0Unlimited
Windows Chrome User Data - ProfileExtendedWindows%LOCALAPPDATA%\Google\
Chrome\User Data\
Default\
.*0Unlimited
MacOS Chrome DataExtendedMac$HOME/Library/Application Support/Google/Chrome.*9Unlimited
Linux Chrome DataExtendedLinux$HOME/.config/google-chrome.*9Unlimited
Tanium Trace DatabaseWindows Tanium Trace DatabaseExtendedWindows%TANIUMDIR%\^monitor\.db(\-)*(wal|shm|journal)*$0Unlimited
Tanium Index DatabaseWindows Tanium Index DatabaseExtendedWindows%TANIUMDIR%\Tools\EPI\^EndpointIndex\.db(\-)*(wal|shm|
journal)*$
0Unlimited
Shell Configuration FilesBourne Again (bash) SettingsExtendedLinux, Mac$HOME^\.bash(rc|_profile|
_aliases)$
01
C Shell (csh and tcsh) SettingsExtendedLinux, Mac$HOME^\.(tcshrc|
cshrc)$
01
Available ShellsAvailable ShellsExtendedLinux, Mac/etc^shells$01
Passwd and Group FilesPasswd and Group FilesExtendedLinux,Mac/etc^(passwd|group)$0Unlimited
Shadow FilesShadow FilesExtendedLinux, Mac/etc^(shadow|gshadow|
master\.shadow)$
0Unlimited
Sudoers ConfigurationSudoers FileExtendedLinux, Mac/etc^sudoers$0Unlimited
Sudoers.d Folder ContentsExtendedLinux, Mac/etc/sudoers.d.*15Unlimited
Mount PointsMount PointsExtendedLinux/etc^fstab$01
NFS Mount PointsExtendedLinux/etc^exports.*01
Preload Shared LibrariesLD Preload Shared LibrariesExtendedLinux/etcld\.so.*15Unlimited
LD Preload Shared Libraries Configuration DirectoryExtendedLinux/etc/ld.so.conf.d.*0Unlimited
Auditd Configuration and RulesLD Preload Shared LibrariesExtendedLinux/etc/audit.*15Unlimited
RPM GPG KeysRPM GPG KeysExtendedLinux/etc/pki/rpm-gpg.*15Unlimited
SSL/TLS Certificates and PKISSL/TLS Certificates DirectoryExtendedLinux/etc/pki/tls.*15Unlimited
SSL/TLS Certificate Authority DirectoryExtendedLinux/etc/pki/CA.*15Unlimited
User Recently Used/Deleted FilesRecently Used GTK FilesExtendedLinux$HOME/.local/sharerecently-used\
.xbel
15Unlimited
Recently Deleted InfoExtendedLinux$HOME/.local/share/
Trash/info
.*15Unlimited
Recently Deleted FilesExtendedLinux$HOME/.local/share/
Trash/files
.*15Unlimited
User Vim ConfigurationVim InfoExtendedLinux, Mac$HOME^\.viminfo$0Unlimited
Non-Windows Vim ConfigurationExtendedLinux, Mac$HOME^\.vimrc$0Unlimited
Windows Vim ConfigurationExtendedWindows%homepath%\^_vimrc$0Unlimited
User Less HistoryLess HistoryExtendedLinux, Mac$HOME^\.lesshst$0Unlimited
User Database HistoryDatabase HistoryExtendedLinux, Mac$HOME^\.(psql|mysql|
sqlite)_history$
0Unlimited
Cron SettingsCron FilesExtendedLinux, Mac/etc/cron.*15Unlimited
Cron LogsExtendedLinux, Mac/var/logcron.*15Unlimited

You can create custom file collector sets.

  1. From the Threat Response menu, click Management > Live Response. Click File Collection Sets. Click Create File Collection Set.
  2. In the General Information section, provide a name and description for the file collection set.
  3. Select Enable to enable the file collection set. Enabling a file collection set makes it available to use to collect endpoint data.
  4. Provide a name for the file collector.
  5. Provide a path for files to collect. Paths support environment variables and regular expressions. For more information, see Regular expressions and environment variables.
  6. Provide a file pattern for the files to collect. File patterns support regular expressions. For more information, see Regular expressions and environment variables.
  7. Specify the maximum depth of directories to recurse from the path you provided.
  8. Specify the maximum number of files to collect.
  9. Select Raw to preserve the format of the files that are collected.
  10. Select the operating systems from which you want the file collector to collect files.
  11. Click the check mark in the top right to save the file collector.

  12. Click Save.

Script sets

You can configure scripts to run on endpoints when you deploy the collection. Supported scripting languages include PowerShell and Python.

  1. From the Threat Response menu, click Management > Live Response. Click Script Sets. Click Create Script Set.
  2. In the General Information section, provide a name and description for the script set.
  3. Select Enable to enable the script set. Enabling a script set makes it available to use when endpoint data collection occurs.
  4. Under Scripts click Add a Script.
  5. Provide a filename for the script.
  6. Select Python or PowerShell as the type of script.
  7. Provide any script arguments to use as part of running the script.
  8. Add the script source.
  9. Click Save.

Script output is saved in a file that has the same as the script, and has -results appended to the file extension. For example, a script named test.ps1 creates output in test.ps1-results. All standard output is directed to the collector directory.

Collect data from endpoints

To collect data from endpoints, deploy a Live Response package.

To prevent resource overload on endpoints, only issue this action manually. Do not create a scheduled action.

  1. From the Threat Response menu, click Management > Live Response. Click Generate Packages.
  2. Target endpoints for data collection. Use an operating system-based question, for example: Get Computer Name from machines with Is Windows containing "True" .
  3. Select the endpoints from which you want to collect data and click Deploy Action.
  4. In the Deployment Package field, type Live Response.
  5. Select the package that matches the collection and destination settings that you want to deploy.
  6. In the Base Directory field, provide a directory name where files are placed as they are collected. This directory is created under the Remote Path value that you provide in the destination you are using for the Live Response package. For example, if you provide a Base Directory of MyCollection for an SSH destination where the Remote Path is FileCollection, the result would be /home/username/FileCollection/MyCollection since the remote path provided in SSH destinations is relative to the home directory of the present user. Depending on the type of destination, the location of the Remote Path can vary. For example, in SMB destinations it is explicit; whereas in SSH destinations it is relative to the home directory of the present user.

  7. Optionally select Flatten Output Files if you want all collected files placed in one directory where the filename includes the original path, but does not retain the folder structure.

  8. Click Show Preview to Continue.
  9. After you preview the list of endpoints to which the action is being deployed, click Deploy Action.

Threat Response tests the connection by writing a LRConnectionTestfile to the destination. If the write fails, the action tries the other destinations in the transfer configuration in the order they are listed in the configuration file. If all the connection tests fail, the action does not proceed.

Tanium shows the package as complete almost immediately after the package is downloaded on the endpoints. This completion is not accurate because Live Response runs in detached mode. File transfers continue after the action completes.

The actual time to complete the transfer depends on the endpoint activity and connection speed between the endpoint and the destination system.

Data that is transferred to a destination is packaged in a ZIP file. For example, if you selected memory details as an included module, Live Response creates a ZIP file that contains a raw memory dump and additional system files. You can analyze this data with a tool such as Winpmem or Volexity Surge.

Collect logs

In addition to the standard action logs on the endpoint (Tanium_Client_Location\Downloads\Action_###\Action_####.log), a log file of activities resides in the same directory. This file follows the naming convention: YYYYMMDDhhmm_LR.log.

When collection completes, the YYYYMMDDhhmm_LR.log is copied to the destination. The action log is not copied to the destination.

Use both the action log and the Live Response log to troubleshoot problems. The action log captures messages written to standard error (stderr).

Regular expressions and environment variables

Paths and file patterns support regular expression syntax.

The File Pattern regular expression is applied to the file name only.

The following table provides some example patterns to show how Live Response uses both regular expressions and environment variables on Windows, Linux, and macOS endpoints.

Example Live Response taskOperating systemPathFile patternExplanation
Collect host fileWindows%systemdrive%\windows\
system32\drivers\etc
^hosts$Windows applies regular expressions to file name.
Linux/macOS/etchosts$ In this example, hosts matches.
Collect Bash History of every userWindowsNot ApplicableNot ApplicableNot Applicable
Linux/macOS$HOME/.bash_history$A file name that matches .bash_history.

Collect a file names findme.txt from platform rootWindowsC:\^findme.txt$The filename starts withfindme.txt
Linux/macOS/^findme.txt$The filename starts with /findme.txt

Any environment variables that you use resolve as described in the following table.

Environment variableSupported operating systemCorresponding value
%appdata% WindowsC:\Users\username\appdata\roaming
%homepath%Windows\Users\username
%localappdata%WindowsC:\Users\username\appdata\local
%psmodulepath%WindowsC:\Users\username\documents\windowspowershell\modules
%temp%WindowsC:\Users\username\appdata\local\temp
%tmp%WindowsC:\Users\username\appdata\local\temp
%userprofile%WindowsC:\Users\username
%taniumdir%WindowsThe Tanium Client directory. Defaults are:
\Program Files\Tanium\Tanium Client\ (32-bit OS )
\Program Files (x86)\Tanium\Tanium Client\ (64-bit OS)
$TANIUMDIRLinux, MacThe Tanium Client directory. Defaults are:
/Library/Tanium/TaniumClient/ (macOS)
/opt/Tanium/TaniumClient/ (Linux)
$HOMELinux, Mac

All user home directories that do not have a home directory set to blocklisted shells, and match shells that are listed in /etc/shells file.

If there is no /etc/shells file, all shells are allowed.

Environment variables that are local to the endpoint are supported. For example, if %SYSTEMROOT% is set on an endpoint to expand to C:\WINDOWS, you can use such a variable on a path.

Last updated: 9/9/2020 3:33 PM | Feedback