Forensics
The forensics module is targeted at providing analysts the capability to taken responsive actions on an endpoint to facilitate further investigation, collect evidence or initiate remediation based activities.
The module leverages PowerShell's Remoting capabilities to execute commands on remote endpoints. This allows for minimal configuration required, no additional agent on the endpoint and the full capabilities of PowerShell to be used as part of the response functionalities. The FalconOrchestrator.Forensics library contains the logic to establish a PowerShell connection, execute the provided command and return data if applicable.
In order to leverage this functionality you will need to perform the following configuration tasks:
-
Enable PowerShell Remoting on all endpoints you need to interact with, this can be done by executing the command
Enable-PSRemoting. For larger environments it is suggested to use a systems management tool or Group Policy. -
By enabling this the Window Remote Management (WinRM) protocol will be used and listening on TCP port 5985. As such you should ensure that port is accessible for inbound communication both on the local Windows firewall and any network filtering devices between the Falcon Orchestrator server and target endpoint.
-
Lastly, you will need to supply credentials of an account (typically a domain account) that has sufficient access to the target endpoint(s) in order to carry out the intended commands. To save these credentials open the Falcon Orchestrator web application in your browser and navigate to Admin > Configuration > Forensics. Input the username, domain and password of the service account and save the settings:
During an incident response or security investigation, a common requirement is the capability to extraction files from a compromised system for post analysis or archiving of relevant artifacts. Falcon Orchestrator achieves this by first executing the script Get-FileAttribute.ps1 to get relevant file metadata, followed by a very simple PowerShell script titled Get-RemoteFile.ps1 which will send the file back to the Falcon Orchestrator server via an HTTP(s) POST. This can be initiated from three areas within the web application:
All extracted file artifacts are compressed, password protected (using the supplied Zip password) and saved to the web applications App_Data\Artifacts directory.
- Forensics > File Extraction
- Forensics > File System Browser > Select Non Directory File > Download Button
- Detections > Edit > Download Button Next To File Name
Browsing the file system allows an analyst to perform live response against a target system and understand what artifacts on the file system. You can traverse by clicking on each row in the table, if it is a directory the search box will be updated with the new path. You can then click the search button again to drill down into the directory. The PowerShell command being executed is simply Get-ChildItem -force. This will display hidden files as well. If a non directory file is selected, the download button will appear allowing you to extract the file directly while browsing.
Understanding what software & versions is installed on an endpoint allows you to better understand the potential vulnerabilities or identify the installation of unexpected software. The script Get-InstalledPrograms.ps1 is executed on the remote endpoint to enumerate the Windows registry location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
