(G)oogles (R)apid (R)esponse - aka grr
The poor mans live memory analysis tool
GRR Rapid Response is an incident response framework focused on remote live forensics.
The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.
GRR consists of 2 parts: client and server.
GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. “Work” means running a specific action: downloading file, listing a directory, etc.
GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.Remote forensics at scale
GRR was built to run at scale so that analysts are capable of effectively collecting and processing data from large numbers of machines. GRR was built with following scenarios in mind:
- Joe saw something weird, check his machine (p.s. Joe is on holiday in Cambodia and on 3G)
- Forensically acquire 25 machines for analysis (p.s. they’re in 5 continents and none are Windows)
- Tell me if this machine is compromised (while you’re at it, check 100,000 of them - i.e. “hunt” across the fleet)
- Cross-platform support for Linux, OS X and Windows clients.
- Live remote memory analysis using YARA library.
- Powerful search and download capabilities for files and the Windows registry.
- OS-level and raw file system access, using the SleuthKit (TSK).
- Secure communication infrastructure designed for Internet deployment.
- Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
- Fully fledged response capabilities handling most incident response and forensics tasks.
- Enterprise hunting (searching across a fleet of machines) support.
- Fast and simple collection of hundreds of digital forensic artifacts.
- AngularJS Web UI and RESTful JSON API with client libraries in Python, PowerShell and Go.
- Powerful data export features supporting variety of formats and output plugins.
- Fully scalable back-end capable of handling large deployments.
- Automated scheduling for recurring tasks.
- Asynchronous design allowing future task scheduling for clients, designed to work with a large fleet of laptops.
From the official grr documentation
To start, download the latest server deb from https://github.com/google/grr/releases
and install it using below command:
sudo apt install -y ./grr-server_3.2.0-1_amd64.deb
There are a view more options on how to install it (incl. a docker image) but for this documentation I've choosen to use the deb variant.
Just answer the upcoming questions according to your system setup and watch out for the sumary at the very end. It will show you the ip address and port you can access the admin gui with the credentials of the user you just created.
First, you need to install a client on your target client. So in grr, go to "Manage Binaries", download and install the appropriate client of choice.
The difference between the dbg_ and non-dbg-version is the ability to have a verbose output of what the client is doing.
Now install the client using admin rights on windows, or you psexec to remotly install it.
cd C:\CLIENT_DIRECTORY\ net use \\MACHINE\IPC$ /USER:USERNAME * psexec \\MACHINE -c -f -s client-version.exe
Uninstalling, by the way, can be done as:
sc stop "grr monitor" sc delete "grr monitor" reg delete HKLM\Software\GRR rmdir /Q /S c:\windows\system32\grr del /F c:\windows\system32\grr_installer.txt
Or, install it on linux or Mac OS X:
scp client_version.deb host:/tmp/ ssh host sudo dpkg -i /tmp/client_version.deb
Uninstalling on Linux and Mac OS X can be done by:
sudo service grr stopdpkg -r grr/usr/lib/grr/* /etc/grr.local.yaml /etc/init/grr.conf
Once everything with above install went right, you are good to go starting the actual programm and use it.
Check the next articles on how I dealt with it.