You can use Red Canary to automate the collection of a forensics package from your Windows, macOS, and Linux endpoints. This action can be automatically performed whenever a threat is identified or manually invoked for ad-hoc investigations.
Forensic artifacts give you additional visibility into the state of an endpoint and enhance your ability to scope, contain, and eradicate threats.
Use cases
Automate Forensics Packages enable you to quickly capture forensic artifacts from an endpoint before they are tampered with, expire, or the endpoint goes offline. When combined with endpoint telemetry, this information provides a more complete picture of the endpoint in question.
There are two common use cases:
- Automatically collect a forensics package when a high severity threat is identified.
- Manually collect a forensics package to investigate third-party alerts or support internal investigations.
What was once a one-off, time-sensitive process can now be implemented and automated with a few clicks.
Getting started
- Click Add Action to a new or existing Automate playbook.
- From Red Canary Prevention, Containment & Response click Collect Forensics.
- Click +Add to Playbook.
- Select a File Type (CSV or JSON) and specify who receives a notification when the package is available for download.
Note: if necessary, also check Require Approval. - Click Save.
For ad-hoc investigations, click Run and choose the desired endpoint:
You will receive a notification email that links to the Red Canary "Share a File" system. Follow the link and download your forensics package.
Note: The download link expires after seven days.
Support
The following endpoint sensors support forensics package collection:
- Crowdstrike Falcon
-
Note for Mac Devices: Please download the the official 7zip to extract (https://www.7-zip.org/download.html) the Forensic Package.
When using a Mac where the archive utility version is outdated, the file will not be able to be unlocked. After updating the archive utility, the file should be able to be decrypted and unpacked using the password ‘infected’.
-
- Microsoft Defender Endpoint
- VMware Carbon Black Cloud
- VMware Carbon Black Response
The following operating systems support forensics package collection:
- Windows
- macOS
- Linux
Important: If you use an application control product like Carbon Black Protection, you must add additional publishers to your allowlist.
Example
We collect anonymous and named pipes on Windows endpoints. Pipes are an interprocess communication mechanism that are utilized both by malware families like NotPetya and Ramnit and by legitimate tools like Cobalt Strike and PsExec (see our earlier blog here on named pipes and lateral movement):
Details collected
Windows forensic artifacts
| Address resolution cache (ARP) | Application Compatibility shims | Autoruns (services, scheduled tasks, …) |
| Bitlocker details | Chrome plugins/extensions | Disks/drives |
| Drivers | \etc\hosts | Firewall profiles and rules |
| Groups (local system) | Installed programs | Internet Explorer plugins/extensions |
| Listening ports | Logged in users and logon sessions | Muicache |
| Network connections | Network interfaces (addresses, details) | Operating System details |
| Patches | Pipes | Prefetch files |
| Processes | Recycle Bin entries | Registry (persistence mechanisms) |
| Routes | Scheduled tasks | Services |
| Shared resources (drives, printers, IPC, …) | Shimcache | System details |
| Time (time zone specific) | Uptime | UserAssist settings |
| Users and groups | Windows Crashes | Windows Event Log availability |
| WMI consumers and filters |
macOS forensic artifacts
| AccountPolicy details | Active Directory details | Address resolution cache (ARP) |
| Applications installed | Battery details | Block devices (disk, ramdisk, …) |
| Browser plugins/extensions | Crashes | Crontab entries |
| Disk encryption details (e.g., FileVault) | DNS resolvers configured | Emond rules |
| /etc/hosts entries | /etc/periodic entries | /etc/common details |
| Firewall profiles and entries | Gatekeeper settings | Groups |
| Kernel extensions | Kernel panics | Logged in users |
| Logs available (/var/log) | Managed configuration policies (AD, MDM, …) | Mounts and NFS shares |
| Network connections | Network interfaces (addresses, details) | Operating System details |
| Package install history and receipts | Printers | Processes (environment variable, open files, network connections, …) |
| Python packages | Recent logins | Routes |
| Shared folders | Sharing preferences (screen sharing, file sharing, remote login, …) | Shell history (bash_history, zsh_history, …) |
| SSH keys, configs and details (authorized_keys, known_hosts) | Startup items (e.g., launchd) | Sudoers |
| System Integrity Protection (SIP) configuration | Time (time zone specific) | TimeMachine usage and details |
| Uptime | URI protocol handlers | USB devices |
| Users and Groups | Wi-Fi details (network, current status) | XProtect details |
Linux forensic artifacts
| Address resolution cache (ARP) | APT repositories | Block devices (disk, ramdisk, …) |
| Crontab entries | Disk encryption details | DNS resolvers configured |
| /etc/hosts entries | Iptables entries | Kernel details |
| Kernel modules | Load average | Logged in users |
| Logs available (/var/log) | Mounts | Network connections |
| Network interfaces (addresses, details) | Operating System details | Package details (e.g., DEB, NPM, RPM, Python, YUM, …) |
| Processes (environment variable, network connections, …) | Recent logins | Routes |
| shadow | Shell history (bash_history, zsh_history, …) | SSH keys, configs and details (authorized_keys, known_hosts) |
| Sudoers | System details | Time (time zone specific) |
| Uptime | USB devices | Users and Groups |
Comments
0 comments
Please sign in to leave a comment.