RTR FOR FORENSICS

AND HUNTING
RTR EXAMPLES
 SPEAKER

JIM MILLER
Senior Consultant
§ CrowdStrike Services – 3 years
§ Over a decade of security experience
(SOC/IR/Forensics)
§ CISSP/GPEN/GCFA/GCFE/GWAPT
§ Bachelors in IT from RIT (Go Tigers!)

© 2019 CROWDSTRIKE
 AGENDA

§ DEFINITIONS
§ R T R B U I LT- I N C O M M A N D S
§ R T R W I T H P R E B U I LT B I N A R I E S
§ RTR AND POWERSHELL
§ R T R AT S C A L E ?

© 2019 CROWDSTRIKE
 DEFINITIONS

§ Real Time Response § Registry § Malware

“RTR” the ability to The Windows Registry, a For this talk, anything we
connect to a host running configuration database don’t want running on the
Falcon via the cloud and containing low level host. (Adware/PUPS/etc)
execute arbitrary options
commands
§ PowerShell
Command-line shell and
scripting language
focusing on automation

© 2019 CROWDSTRIKE
BUILT-INS
 SOME QUICK ASSUMPTIONS
The demo machine for all of this
was Win7SP1 x64 PowerShell 5.1
§ Some commands (zip) may not work for
you
§ Additional PowerShell (PS) frameworks
may require additional features
§ You have the correct Falcon permissions
and authority to make the changes
on the hosts you are working on

© 2019 CROWDSTRIKE
 THE BUILT-INS

§ cat § kill § put

§ cd § ls § reg
§ eventlog § map § rm
§ filehash § memdump § runscript
§ get § mv § xmemdump
§ help § ps

© 2019 CROWDSTRIKE
 A SAMPLE DETECTION

© 2019 CROWDSTRIKE
© 2019 CROWDSTRIKE
 THE COMMANDS
§ ls c:\windows\system32\utilma*
§ filehash c:\windows\system32\utilman.exe && exe.old
§ reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager"
§ New-ItemProperty -Path
"Registry::HKLM\SYSTEM\CurrentControlSet\Control\Session Manager"
-Name PendingFileRenameOperations -PropertyType MultiString -Value
('\??\C:\Windows\System32\utilman.exe.old','\??\C:\Windows\System32\
utilman.exe') | Out-Null

© 2019 CROWDSTRIKE
 WARNING
Untested Code

© 2019 CROWDSTRIKE
PRE-BUILT BINARIES
 AUTORUNS

§ NB: Autoruns and Sysinternals are copyright works of Microsoft

© 2019 CROWDSTRIKE
© 2019 CROWDSTRIKE
 THE COMMANDS

§ wmic os get OSArchitecture

§ ls/mkdir
§ put autorunsc64.exe
§ run "C:\Temp\autorunsc64.exe" -CommandLine="-accepteula -avm * -o
C:\Temp\autoruns.txt"

© 2019 CROWDSTRIKE
POWERSHELL
© 2019 CROWDSTRIKE
 THE COMMANDS

§ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -URI https://github.com/Invoke-
IR/PowerForensics/releases/download/1.1.1/PowerForensicsv2.zip -OutFile
"C:\PowerForensicsv2.zip”
§ Expand-Archive -path 'C:\PowerForensicsv2.zip' -destinationpath "C:\Program
Files\WindowsPowerShell\Modules\
§ Import-Module PowerForensicsv2

© 2019 CROWDSTRIKE
 POWERFORENSICS

§ Get-ForensicFileRecord (parse the MFT!)

§ Invoke-ForensicDD
§ Get-ForensicEventLog
§ Get-ForensicPrefetch
§ Get-ForensicTimezone

PowerForensics by Developed by @jaredcatkinson

© 2019 CROWDSTRIKE
 OTHER USEFUL ONE-LINERS

§ Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
SMB1 -Type DWORD -Value 0 –Force
§ [System.Environment]::Is64BitOperatingSystem
§ Get-Childitem –Path C:\ -Include <Your Search String Here> -Recurse -
ErrorAction SilentlyContinue
§ Get-Item –Path C:\<Path-To-File> -stream *

© 2019 CROWDSTRIKE
RTR AT SCALE?
 RTR IS POWERFUL

RTR has an API CrowdCollect Map a network share

Xmemdump to copy
You can automate Gather a number of and you can collect all
doing a forensic different triage artifacts of your triage
collection of the MFT from a remote host information online

© 2019 CROWDSTRIKE
 DOCUMENT AND ITERATE

Record useful one- Automate responding to

Share that knowledge
liners and longer common detections
as a community
remediation scripts (Dridex/Trickbot/Phishing)

© 2019 CROWDSTRIKE
 THANK YOU.
ANY QUESTIONS?
© 2019 CROWDSTRIKE