Collecting data from endpoints

A critical step in the incident response process is the collection of data from compromised endpoints for further forensic analysis. Use Threat Response to collect specific information from endpoints to use for forensic analysis and data correlation and investigate potentially compromised systems with a customizable and extensible framework.

Threat Response collects forensic information from endpoints, and transfers the results to a network location that you specify in a package. The Threat Response package contains configuration files that identify the data to collect, and where to copy the data. Specify the data that you want to collect from endpoints, and the network destination to save the collected files.

Destinations

A destination is a location to save forensic data. The server that receives information from Live Response can be an Amazon S3 Bucket, or a server that communicates over SFTP, SCP, or SMB (Windows only) protocols.

For SSH (SFTP/SCP) destinations, a user with write access to the share on the destination is required. Consider modifying the /etc/ssh/sshd_config file on the server to allow only SFTP or SCP access.

The key exchange algorithms supported by Live Response for SSH destinations include:

  • [email protected]
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1

At least one of these algorithms must be supported by the server for SSH (SFTP/SCP) destinations.

For an SMB copy location, the system account is used. SMB shares work with domain joined endpoints. Either the specific endpoint must have write access, or the domain computers group must have write access. Required advanced permissions:

  • Create files / write data
  • Create folders / append data
  • Write attributes

For Amazon S3 Bucket copy locations, ensure that clients are synchronized with a time server. Transfers fail if the client time differs from the server time by more than 15 minutes.

For more information on using Amazon S3 Buckets with Live Response, see How to create an AWS S3 Bucket for use with Live Response (login required).

Do not use SMB transfer destinations when a system has been quarantined by Tanium. Live Response uses domain authentication for transfers. When a system is quarantined it cannot reauthorize with the domain and authentication fails.

  1. From the Threat Response menu, click Management > Live Response. Click Destinations. Click Create Destination.
  2. In the General Information section, provide a name and description for the destination.
  3. Select Enable to enable the destination. Enabling a destination makes the destination available to use to collect endpoint data.
  4. Select a destination type. Available destination types are S3, SSH, and SMB. The destination type that you select determines the types of required setting information. Refer to destination types for more information.
  5. Click Save.

Destination types

Different types of destinations require different settings.

There is no option for disabling hostkey verification for SSH destinations in Live Response for Threat Response.

S3 Destinations

The SMB transfer protocol is only supported on Windows operating systems.

For S3 destinations, the following settings are required:

SettingDescription

Bucket

The name of the S3 Bucket. When using an S3 bucket as a destination make sure that clients are synchronized with a time server. Transfers fail if the client time differs from the server time by more than 15 minutes.

Access Key ID

An ID that corresponds with a secret access key. For example, AKIAIOSFODNN7EXAMPLE

Secret Access Key

A secret key that corresponds with an access key ID. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY. Manage your access keys as securely as you do your user name and password.

When you create access keys, you create the access key ID and secret access key as a set. During access key creation, AWS gives you one opportunity to view and download the secret access key part of the access key. If you do not download the key or if you lose the key, you can delete the access key and then create a new one.

Region An explicitly defined S3 region.
HostThe fully qualified domain name of the host.
PortThe port to use for the connection for the destination. The default is 443.
Use SSLSSL encryption is enabled.
Force Path Style TypesForces API calls to use path-style URLs where the bucket name is part of the URL path for accessing buckets.
Connection TimeoutThe amount of time to attempt to establish a connection.
Remote PathA path on the destination where data is collected.

SSH Destinations

For SSH destinations, the following settings are required:

SettingDescription

Protocol

Select SFTP or SCP as the protocol to transfer collected files to the destination.

Authentication Type

Private Key or Password. The type of protocol that you select determines whether you are prompted to provide a private key or a password to authenticate with the destination.

Host

The fully qualified domain name of the host.

Port The port to use for the SSH connection for the destination. The default is 22.
UsernameThe user name for the connection to the destination.
Password or Private Key The password for the user name, or a private key to authenticate the connection to the destination. An RSA key must be base64 encoded before you enter it into the private key field.

In PowerShell you can convert to base64 encoding using the following command:

[Convert]::Tobase64String([System.IO.File]::ReadAllBytes('<filepath>'))

On macOS and Linux you can convert to base64 encoding using the following command:

cat <filepath> | base64 -w 0
Known Hosts The content of an SSH known hosts file.
Connection TimeoutThe amount of time to attempt to establish a connection.
Remote PathA path on the destination where data is collected. This path is relative to the home directory of the present user. Absolute paths are not supported.

SMB Destinations

For SMB destinations, the following settings are required:

SettingDescription
Universal Naming Convention

The UNC path of the destination.  For example, \\server\folder

Collections

A collection defines the data to collect from an endpoint.

  1. From the Threat Response menu, click Management > Live Response. Click Collections. Click Create Collection.
  2. In the General Information section, provide a name and description for the collection.
  3. Select Enable to enable the collection. Enabling a collection makes the collection available to use to collect endpoint data.
  4. Select the modules that you want to include in the data collection. A module is a functional area of forensic investigation. For example, the Network Connections module collects data that is helpful to understanding network connections that the endpoint has been involved in. The operating system icons next to each module show the operating systems to which the modules apply.
  5. Under Script Sets, select the script sets that you want to include in the collection. See Script Sets for more information.
  6. Under File Acquisition, select the Tanium File Collectors and User Defined File Collectors that you want to include in the collection. See File Collectors for more information.
  7. Add any Ad-hoc file collectors that you want to include in the collection. Ad-hoc file collectors are not part of a file collector set. You can use Ad-hoc file collectors to collect any additional files that are relevant to a specific collection.
    1. Click Add File Collector.
    2. Provide a name for the file collector.
    3. Provide a path for files to collect.
    4. Provide a file pattern for the files to collect. For example, *.exe.
    5. Specify the maximum depth of directories to recurse from the path you provided. 
    6. Specify the maximum number of files to collect. 
    7. Select Raw to preserve the format of the files that are collected. 
    8. Select the operating systems from which you want the file collector to collect files. 
    9. Click the check mark in the top right to save the file collector.

  8. Click Save.

File Collector sets

Create file collector sets to define the types of files that you want to collect from endpoints. For example, you can select all files of a specific type, or files that reside on a specific path.

  1. From the Threat Response menu, click Management > Live Response. Click File Collection Sets. Click Create File Collection Set.
  2. In the General Information section, provide a name and description for the file collection set.
  3. Select Enable to enable the file collection set. Enabling a file collection set makes it available to use to collect endpoint data.
  4. Provide a name for the file collector.
  5. Provide a path for files to collect.
  6. Provide a file pattern for the files to collect. For example, *.exe.
  7. Specify the maximum depth of directories to recurse from the path you provided.
  8. Specify the maximum number of files to collect.
  9. Select Raw to preserve the format of the files that are collected.
  10. Select the operating systems from which you want the file collector to collect files.
  11. Click the check mark in the top right to save the file collector.

  12. Click Save.

Script sets

You can configure scripts to run on endpoints when you deploy the collection. Supported scripting languages include Powershell and Python.

  1. From the Threat Response menu, click Management > Live Response. Click Script Sets. Click Create Script Set.
  2. In the General Information section, provide a name and description for the script set.
  3. Select Enable to enable the script set. Enabling a script set makes it available to use when endpoint data collection occurs.
  4. Under Scripts click Add a Script.
  5. Provide a filename for the script.
  6. Select Python or Powershell as the type of script.
  7. Provide any script arguments to use as part of running the script.
  8. Add the script source.
  9. Click Save.

The output if a script is named the same as the script and has -results appended to the file extension. For example, a script named test.ps1 creates output in test.ps1-results. All standard output is directed to the collector directory.

Collect data from endpoints

To collect data from endpoints, deploy a Live Response package.

To prevent resource overload on endpoints, only issue this action manually. Do not create a scheduled action.

  1. From the Threat Response menu, click Management > Live Response. Click Generate Packages.
  2. Target endpoints for data collection. Use an operating system-based question, for example: Get Computer Name from machines with Is Windows containing "True" .
  3. Select the endpoints from which you want to collect data and click Deploy Action.
  4. In the Deployment Package field, type Live Response.
  5. Select the package that matches the collection and destination settings that you want to deploy.
  6. Click Show Preview to Continue.
  7. After you preview the list of endpoints to which the action is being deployed, click Deploy Action.

Threat Response tests the connection by writing a LRConnectionTestfile to the destination. If the write fails, the action tries the other destinations in the transfer configuration in the order they are listed in the configuration file. If all the connection tests fail, the action does not proceed.

Tanium shows the package as complete almost immediately after the package is downloaded on the endpoints. This completion is not accurate because Live Response runs in detached mode. File transfers continue after the action completes.

The actual time to complete the transfer depends on the endpoint activity and connection speed between the endpoint and the destination system.

Data that is transferred to a destination is packaged in a ZIP file. For example, if you selected memory details as an included module, Live Response creates a ZIP file that contains a raw memory dump and additional system files. You can analyze this data with a tool such as Winpmem or Volexity Surge.

Collect logs

In addition to the standard action logs on the endpoint (Tanium_Client_Location\Downloads\Action_###\Action_####.log), a log file of activities resides in the same directory. This file follows the naming convention: YYYYMMDDhhmm_LR.log.

When collection completes, the YYYYMMDDhhmm_LR.log is copied to the destination. The action log is not copied to the destination.

Use both the action log and the Live Response log to troubleshoot problems. The action log captures messages written to standard error (stderr).

Configure the Live Response package outside of the Threat Response workbench

You can upload multiple JSON files to the package with different configurations. For more information, see Configure the Live Response package.

Last updated: 12/3/2019 2:45 PM | Feedback