legal contact
 

(G)oogles (R)apid (R)esponse - aka grr

The poor mans live memory analysis tool

What is GRR?

GRR Rapid Response is an incident response framework focused on remote live forensics.

The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.

GRR consists of 2 parts: client and server.

GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. “Work” means running a specific action: downloading file, listing a directory, etc.

GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.

Remote forensics at scale

GRR was built to run at scale so that analysts are capable of effectively collecting and processing data from large numbers of machines. GRR was built with following scenarios in mind:

  • Joe saw something weird, check his machine (p.s. Joe is on holiday in Cambodia and on 3G)
  • Forensically acquire 25 machines for analysis (p.s. they’re in 5 continents and none are Windows)
  • Tell me if this machine is compromised (while you’re at it, check 100,000 of them - i.e. “hunt” across the fleet)
GRR client features
  • Cross-platform support for Linux, OS X and Windows clients.
  • Live remote memory analysis using YARA library.
  • Powerful search and download capabilities for files and the Windows registry.
  • OS-level and raw file system access, using the SleuthKit (TSK).
  • Secure communication infrastructure designed for Internet deployment.
  • Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.
GRR server features
  • Fully fledged response capabilities handling most incident response and forensics tasks.
  • Enterprise hunting (searching across a fleet of machines) support.
  • Fast and simple collection of hundreds of digital forensic artifacts.
  • AngularJS Web UI and RESTful JSON API with client libraries in Python, PowerShell and Go.
  • Powerful data export features supporting variety of formats and output plugins.
  • Fully scalable back-end capable of handling large deployments.
  • Automated scheduling for recurring tasks.
  • Asynchronous design allowing future task scheduling for clients, designed to work with a large fleet of laptops.

 

From the official grr documentation

Installing

To start, download the latest server deb from https://github.com/google/grr/releases

and install it using below command:

sudo apt install -y ./grr-server_3.2.0-1_amd64.deb

There are a view more options on how to install it (incl. a docker image) but for this documentation I've choosen to use the deb variant.

Just answer the upcoming questions according to your system setup and watch out for the sumary at the very end. It will show you the ip address and port you can access the admin gui with the credentials of the user you just created.

First, you need to install a client on your target client. So in grr, go to "Manage Binaries", download and install the appropriate client of choice.

The difference between the dbg_ and non-dbg-version is the ability to have a verbose output of what the client is doing.

Now install the client using admin rights on windows, or you psexec to remotly install it.

cd C:\CLIENT_DIRECTORY\
net use \\MACHINE\IPC$ /USER:USERNAME *
psexec \\MACHINE -c -f -s client-version.exe

Uninstalling, by the way, can be done as:

sc stop "grr monitor"
sc delete "grr monitor"
reg delete HKLM\Software\GRR
rmdir /Q /S c:\windows\system32\grr
del /F c:\windows\system32\grr_installer.txt

Or, install it on linux or Mac OS X:

scp client_version.deb host:/tmp/
ssh host sudo dpkg -i /tmp/client_version.deb

Uninstalling on Linux and Mac OS X can be done by:

sudo service grr stop
dpkg -r grr
/usr/lib/grr/*
/etc/grr.local.yaml
/etc/init/grr.conf

Once everything with above install went right, you are good to go starting the actual programm and use it.
Check the next articles on how I dealt with it.

 

to be continued soon ....