GRR Rapid Response Cheatsheet

GRR Rapid Response is an incident response framework focused on remote live forensics. Developed by Google, GRR allows investigators to quickly triage attacks against thousands of hosts, collect forensic evidence, and perform analysis remotely without requiring physical access to target machines. It provides a powerful platform for large-scale incident response and digital forensics operations.

Installation and Setup

Server Installation

# Ubuntu/Debian Installation
sudo apt update
sudo apt install python3-pip python3-dev python3-venv
sudo apt install mysql-server mysql-client
sudo apt install build-essential libmysqlclient-dev

# Create GRR user
sudo useradd -r -s /bin/false grr

# Install GRR server
pip3 install grr-response-server
pip3 install grr-response-client

# Alternative: Install from source
git clone https://github.com/google/grr.git
cd grr
pip3 install -e .

Database Setup

# MySQL Configuration
sudo mysql -u root -p

CREATE DATABASE grr;
CREATE USER 'grr'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost';
FLUSH PRIVILEGES;
EXIT;

# Initialize GRR database
grr_config_updater initialize

# Set admin password
grr_config_updater add_user admin --password=adminpassword --admin

Server Configuration

# Generate server configuration
grr_config_updater generate_keys

# Configure server settings
grr_config_updater set_var Logging.domain localhost
grr_config_updater set_var Logging.path /var/log/grr
grr_config_updater set_var AdminUI.bind 0.0.0.0
grr_config_updater set_var AdminUI.port 8000

# Database configuration
grr_config_updater set_var Database.implementation mysql
grr_config_updater set_var Mysql.host localhost
grr_config_updater set_var Mysql.port 3306
grr_config_updater set_var Mysql.database_name grr
grr_config_updater set_var Mysql.database_username grr
grr_config_updater set_var Mysql.database_password password

Client Installation

# Windows Client Installation
# Download GRR client installer
# Run as administrator: grr_client_installer.exe

# Linux Client Installation
sudo dpkg -i grr-client_*.deb

# Manual client installation
sudo python3 -m grr_response_client.client --config=/etc/grr/client.conf

# Client configuration
grr_config_updater set_var Client.server_urls http://grr-server:8080/
grr_config_updater set_var Client.control_urls http://grr-server:8080/control

Starting GRR Services

Server Components

# Start GRR frontend
grr_server --component frontend

# Start GRR admin UI
grr_server --component admin_ui

# Start GRR worker
grr_server --component worker

# Start all components
grr_server --component frontend,admin_ui,worker

# Using systemd
sudo systemctl start grr-server
sudo systemctl enable grr-server
sudo systemctl status grr-server

Service Management

# Check service status
sudo systemctl status grr-server
sudo systemctl status grr-worker
sudo systemctl status grr-admin-ui

# View logs
sudo journalctl -u grr-server -f
sudo tail -f /var/log/grr/grr.log

# Restart services
sudo systemctl restart grr-server
sudo systemctl reload grr-server

Web Interface Navigation

Admin UI Access

# Access GRR Admin UI
URL: http://localhost:8000
Username: admin
Password: [configured password]

# Main Interface Components
Hunt Manager: Create and manage hunts
Host Information: Client details and status
Flow Management: Individual client flows
Artifact Collection: Predefined artifacts
File Browser: Remote file system access
Timeline: Event timeline analysis

Client Management

# Client Overview
Clients > All Clients
Search clients by hostname, IP, or labels
View client status and last seen time
Access client details and system information

# Client Labels
Add labels for organization
Filter clients by labels
Bulk operations on labeled clients
Custom label management

# Client Interrogation
Automatic client discovery
System information collection
Network configuration details
Installed software inventory

Flows and Artifacts

Basic Flows

# File Collection
Flow: FileFinder
Purpose: Search and collect files
Parameters: Path patterns, conditions
Output: File metadata and content

# Registry Collection (Windows)
Flow: RegistryFinder
Purpose: Collect registry keys/values
Parameters: Registry paths, value names
Output: Registry data and metadata

# Process Listing
Flow: ListProcesses
Purpose: Enumerate running processes
Parameters: None required
Output: Process list with details

# Network Connections
Flow: Netstat
Purpose: List network connections
Parameters: Connection types
Output: Active network connections

# Memory Analysis
Flow: YaraProcessScan
Purpose: Scan process memory with YARA
Parameters: YARA rules, process list
Output: YARA matches in memory

Artifact Collection

# Predefined Artifacts
WindowsEventLogs: Windows event log files
BrowserHistory: Web browser history
WindowsRegistryProfiles: User profile registry
LinuxAuditLogs: Linux audit log files
MacOSApplications: macOS application list

# Custom Artifacts
Create custom artifact definitions
Define collection parameters
Specify output formats
Test artifact collection

# Artifact Parameters
Source Type: File, Registry, Command, WMI
Source Attributes: Paths, conditions, filters
Supported OS: Windows, Linux, macOS
Labels: Categorization and filtering

Advanced Flows

# Timeline Collection
Flow: TimelineFlow
Purpose: Create filesystem timeline
Parameters: Root paths, time ranges
Output: Comprehensive timeline data

# Disk Image Collection
Flow: DiskImageFlow
Purpose: Collect disk images
Parameters: Device paths, compression
Output: Forensic disk images

# Memory Collection
Flow: MemoryCollector
Purpose: Collect physical memory
Parameters: Memory regions, compression
Output: Memory dump files

# Network Packet Capture
Flow: PacketCapture
Purpose: Capture network traffic
Parameters: Interface, filters, duration
Output: PCAP files for analysis

# YARA Scanning
Flow: YaraScan
Purpose: Scan files with YARA rules
Parameters: YARA rules, target paths
Output: YARA rule matches

Hunt Management

Creating Hunts

# Hunt Creation Process
1. Navigate to Hunt Manager
2. Click "New Hunt"
3. Select hunt type and parameters
4. Define client selection criteria
5. Configure output settings
6. Review and start hunt

# Hunt Types
Generic Hunt: Custom flow execution
File Hunt: File collection across clients
Registry Hunt: Registry data collection
YARA Hunt: YARA rule scanning
Artifact Hunt: Predefined artifact collection

# Client Selection
All Clients: Hunt across all clients
Label-based: Target specific labels
Rule-based: Complex selection criteria
Manual: Specific client list

Hunt Configuration

# Hunt Parameters
Hunt Name: Descriptive hunt name
Description: Hunt purpose and details
Client Limit: Maximum target clients
Client Rate: Clients per minute
Expiry Time: Hunt expiration
Output Plugins: Result processing

# Flow Configuration
Flow Type: Selected flow for execution
Flow Arguments: Flow-specific parameters
Collection Parameters: What to collect
Processing Options: How to process results

# Advanced Options
Priority: Hunt execution priority
Network Bytes Limit: Bandwidth control
CPU Limit: Resource constraints
Crash Limit: Error tolerance

Hunt Monitoring

# Hunt Status Monitoring
Hunt Progress: Completion percentage
Client Status: Success/failure counts
Error Analysis: Common error patterns
Resource Usage: Network and CPU impact

# Hunt Results
Result Overview: Summary statistics
Client Results: Per-client outcomes
Downloaded Files: Collected artifacts
Error Logs: Detailed error information

# Hunt Management
Pause Hunt: Temporarily stop execution
Resume Hunt: Continue paused hunt
Stop Hunt: Permanently end hunt
Clone Hunt: Create similar hunt

Forensic Analysis

File System Analysis

# File Collection and Analysis
Collect files matching patterns
Analyze file metadata and content
Extract embedded artifacts
Perform hash analysis
Timeline correlation

# Directory Traversal
Browse remote file systems
Navigate directory structures
View file properties and permissions
Download files for analysis
Search for specific file types

# File Content Analysis
Preview file contents
Extract metadata information
Perform string searches
Analyze file signatures
Detect file type mismatches

Registry Analysis (Windows)

# Registry Data Collection
Collect specific registry keys
Export registry hives
Analyze registry modifications
Track configuration changes
Identify persistence mechanisms

# Common Registry Locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\System\CurrentControlSet\Services
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

# Registry Analysis Techniques
Compare registry snapshots
Identify unauthorized changes
Track software installations
Analyze user activity
Detect malware persistence

Memory Analysis

# Memory Collection
Collect physical memory dumps
Extract process memory
Analyze memory artifacts
Identify injected code
Detect rootkits and malware

# Memory Analysis Flows
YaraProcessScan: YARA rule scanning
ProcessMemory: Process memory dumps
MemoryCollector: Full memory collection
Volatility: Memory analysis framework
StringSearch: String pattern matching

# Memory Artifacts
Running processes and DLLs
Network connections
Registry keys in memory
Cached files and data
Encryption keys and passwords

Network Analysis

# Network Data Collection
Capture network traffic
Analyze connection patterns
Identify suspicious communications
Extract network artifacts
Correlate network events

# Network Flows
Netstat: Active connections
PacketCapture: Traffic capture
NetworkInterfaces: Interface info
DNSCache: DNS resolution cache
ARPCache: ARP table entries

# Network Analysis Techniques
Traffic pattern analysis
Protocol analysis
Malicious domain detection
Data exfiltration identification
Command and control detection

Automation and Scripting

GRR API Usage

# Python API Client
from grr_api_client import api

# Connect to GRR server
grrapi = api.InitHttp(api_endpoint="http://localhost:8000",
                      auth=("admin", "password"))

# Search for clients
clients = grrapi.SearchClients("host:workstation")

# Start flow on client
client = grrapi.Client("C.1234567890abcdef")
flow = client.CreateFlow(name="FileFinder",
                        args={"paths": ["/etc/passwd"]})

# Wait for flow completion
flow.WaitUntilDone()

# Get flow results
results = flow.ListResults()
for result in results:
    print(result.payload)

Automated Hunts

# Create automated hunt
hunt = grrapi.CreateHunt(
    flow_name="FileFinder",
    flow_args={"paths": ["/tmp/*.exe"]},
    client_rule_set={"rules": [{"rule_type": "LABEL",
                               "label": {"label_names": ["suspicious"]}}]}
)

# Start hunt
hunt.Start()

# Monitor hunt progress
while hunt.data.state != "COMPLETED":
    time.sleep(30)
    hunt = grrapi.Hunt(hunt.hunt_id).Get()
    print(f"Hunt progress: {hunt.data.all_clients_count}")

# Collect hunt results
results = hunt.ListResults()

Custom Artifacts

# Define custom artifact
artifact_definition = """
name: CustomLogFiles
doc: Collect custom application logs
sources:
- type: FILE
  attributes:
    paths:
      - '/var/log/custom/*.log'
      - '/opt/app/logs/*.log'
  supported_os: [Linux]
labels: [Logs, Custom]
"""

# Upload artifact
grrapi.CreateArtifact(artifact_definition)

# Use in hunt
hunt = grrapi.CreateHunt(
    flow_name="ArtifactCollectorFlow",
    flow_args={"artifact_list": ["CustomLogFiles"]}
)

Advanced Features

YARA Integration

# YARA Rule Management
Upload YARA rules to GRR
Organize rules by categories
Version control for rules
Test rules before deployment

# YARA Scanning Flows
YaraScan: File system scanning
YaraProcessScan: Process memory scanning
YaraMemoryScan: Full memory scanning

# YARA Rule Examples
rule Malware_Detection {
    strings:
        $api1 = "CreateRemoteThread"
        $api2 = "WriteProcessMemory"
    condition:
        all of them
}

rule Suspicious_Network {
    strings:
        $url = "http://malicious.com"
        $ip = "192.168.1.100"
    condition:
        any of them
}

Timeline Analysis

# Timeline Creation
Collect filesystem timestamps
Correlate events across sources
Generate comprehensive timelines
Export timeline data
Analyze temporal patterns

# Timeline Sources
File system metadata
Registry modifications
Event log entries
Network connections
Process execution

# Timeline Analysis Techniques
Identify attack progression
Correlate related events
Detect time stomping
Analyze user activity
Reconstruct incident timeline

Distributed Analysis

# Multi-Server Deployment
Frontend servers: Client communication
Worker servers: Flow processing
Admin UI servers: Web interface
Database servers: Data storage

# Load Balancing
Distribute client connections
Balance processing workload
Scale based on demand
Monitor server performance

# High Availability
Redundant server components
Database replication
Failover mechanisms
Backup and recovery procedures

Security and Best Practices

Access Control

# User Management
Create user accounts
Assign appropriate permissions
Implement role-based access
Monitor user activities
Regular access reviews

# Authentication
Strong password policies
Multi-factor authentication
Certificate-based authentication
LDAP/Active Directory integration
Session management

# Authorization
Flow execution permissions
Hunt creation rights
Client access controls
Data download restrictions
Administrative privileges

Data Protection

# Encryption
Client-server communication encryption
Data at rest encryption
Certificate management
Key rotation procedures
Secure key storage

# Data Retention
Define retention policies
Implement data purging
Archive important data
Comply with regulations
Monitor storage usage

# Privacy Considerations
Minimize data collection
Anonymize sensitive data
Implement data masking
Regular privacy audits
Compliance documentation

Operational Security

# Network Security
Firewall configuration
Network segmentation
VPN access requirements
Intrusion detection
Traffic monitoring

# System Hardening
Operating system hardening
Service configuration
Regular security updates
Vulnerability management
Security monitoring

# Incident Response
Incident detection procedures
Response team coordination
Evidence preservation
Communication protocols
Lessons learned documentation

Troubleshooting

Common Issues

# Client Connection Problems
Check network connectivity
Verify server URLs
Review firewall rules
Check certificate validity
Examine client logs

# Flow Execution Failures
Review flow parameters
Check client permissions
Verify target paths exist
Monitor resource usage
Analyze error messages

# Performance Issues
Monitor server resources
Check database performance
Analyze network bandwidth
Review client load
Optimize hunt parameters

# Database Problems
Check database connectivity
Monitor database performance
Review query optimization
Verify data integrity
Implement backup procedures

Debugging Techniques

# Log Analysis
Server logs: /var/log/grr/
Client logs: Platform-specific locations
Database logs: MySQL/PostgreSQL logs
Web server logs: Apache/Nginx logs

# Debug Mode
Enable debug logging
Increase log verbosity
Monitor real-time logs
Analyze error patterns
Performance profiling

# Network Debugging
Packet capture analysis
Connection monitoring
Bandwidth analysis
Latency measurement
Protocol debugging

Performance Optimization

# Server Optimization
Increase worker processes
Optimize database queries
Implement caching
Load balancing
Resource monitoring

# Client Optimization
Adjust flow parameters
Implement rate limiting
Optimize collection filters
Monitor client resources
Batch operations

# Network Optimization
Compress data transfers
Implement bandwidth limits
Optimize communication protocols
Use local caching
Monitor network usage

Resources

• GRR Official Documentation
• GRR GitHub Repository
• GRR User Manual
• GRR API Documentation
• Digital Forensics with GRR