Overview

Red Canary Automate allows you to automate the collection of a forensics package from your Windows, macOS, and Linux endpoints. This action can be automatically performed whenever a threat is identified or manually invoked for ad-hoc investigations.

Forensic artifacts give you additional visibility into the state of an endpoint and enhance your ability to scope, contain, and eradicate threats.

Use-cases

Automate Forensics Packages enable you to quickly capture forensic artifacts from an endpoint before they are tampered with, expire, or the endpoint goes offline.

This additional data, coupled with endpoint telemetry, helps you obtain a more complete picture of the endpoint in question.

Common use-cases

  1. Automatically collect a forensics package when a high severity threat is identified
  2. Manually collect a forensics package to investigate third party alerts or support internal investigations

What was once a painful, manual, one-off, time-sensitive process can now be implemented and automated with a few clicks.

Getting Started

Add the  “Collect Forensics” action to a new or existing Automate playbook.

Select an output format (CSV or JSON) and specify who should receive a notification when the package is available for download.

For ad hoc investigations, click the ‘Play’ button and choose the desired endpoint

Download the forensics package within 7 days from the notification email

Example


As an example, we collect anonymous and named pipes on Windows endpoints. Pipes are an interprocess communication mechanism that have been utilized both by malware families like NotPetya and Ramnit and by legitimate tools like CobaltStrike and PsExec (see our earlier blog here on named pipes and lateral movement):

Details Collected

Note: This list may not be comprehensive, email support@redcanary.com for an exhaustive, up-to-date list.

Windows forensic artifacts:

  • Address resolution cache (ARP)
  • Application Compatibility shims
  • Autoruns (services, scheduled tasks, …)
  • Bitlocker details
  • Chrome plugins/extensions
  • Disks/drives
  • Drivers
  • \etc\hosts
  • Firewall profiles and rules
  • Groups (local system)
  • Installed programs
  • Internet Explorer plugins/extensions
  • Listening ports
  • Logged in users and logon sessions
  • Muicache
  • Network connections
  • Network interfaces (addresses, details)
  • Operating System details
  • Patches
  • Pipes
  • Prefetch files
  • Processes
  • Recycle Bin entries
  • Registry (persistence mechanisms) 
  • Routes
  • Scheduled tasks
  • Services
  • Shared resources (drives, printers, IPC, …)
  • Shimcache
  • System details
  • Time (time zone specific)
  • Uptime
  • UserAssist settings
  • Users and groups
  • Windows Crashes
  • Windows Event Log availability
  • WMI consumers and filters

macOS forensic artifacts

  • AccountPolicy details
  • Active Directory details
  • Address resolution cache (ARP)
  • Applications installed
  • Battery details
  • Block devices (disk, ramdisk, …)
  • Browser plugins/extensions
  • Crashes
  • Crontab entries
  • Disk encryption details (ex: FileVault)
  • DNS resolvers configured
  • Emond rules
  • /etc/hosts entries
  • /etc/periodic entries
  • /etc/rc.common details
  • Firewall profiles and entries
  • Gatekeeper settings
  • Groups
  • Kernel extensions
  • Kernel panics
  • Logged in users
  • Logs available (/var/log)
  • Managed configuration policies (AD, MDM, …)
  • Mounts and NFS shares
  • Network connections
  • Network interfaces (addresses, details)
  • Operating System details
  • Package install history and receipts
  • Printers
  • Processes (environment variable, open files, network connections, …)
  • Python packages
  • Recent logins
  • Routes
  • Shared folders
  • Sharing preferences (screen sharing, file sharing, remote login, …)
  • Shell history (bash_history, zsh_history, …)
  • SSH keys, configs and details (authorized_keys, known_hosts)
  • Startup items (ex: launchd)
  • Sudoers
  • System Integrity Protection (SIP) configuration
  • Time (time zone specific)
  • TimeMachine usage and details
  • Uptime
  • URI protocol handlers
  • USB devices
  • Users and Groups
  • Wi-Fi details (network, current status)
  • XProtect details

Linux forensic artifacts

  • Address resolution cache (ARP)
  • APT repositories
  • Block devices (disk, ramdisk, …)
  • Crontab entries
  • Disk encryption details
  • DNS resolvers configured
  • /etc/hosts entries
  • Iptables entries
  • Kernel details
  • Kernel modules
  • Load average
  • Logged in users
  • Logs available (/var/log)
  • Mounts
  • Network connections
  • Network interfaces (addresses, details)
  • Operating System details
  • Package details (ex: DEB, NPM, RPM, Python, YUM, ...)
  • Processes (environment variable, network connections, …)
  • Recent logins
  • Routes
  • shadow
  • Shell history (bash_history, zsh_history, …)
  • SSH keys, configs and details (authorized_keys, known_hosts)
  • Sudoers
  • System details
  • Time (time zone specific)
  • Uptime
  • USB devices
  • Users and Groups

Support

Collecting a forensics package is supported for the following endpoint sensors:

  • Carbon Black Response
  • Endgame

The following Operating Systems are supported*

  • Windows
  • macOS
  • Linux

* Note: for platform version specifics, please see the following article

Important: if you are using an application whitelisting product, like Carbon Black Protection, you will need to whitelist additional publishers.

Need help or an up-to-date listing of artifacts? Contact us at support@redcanary.com

Did this answer your question?