GRÜN Schnelle Antwort Cheatsheet
GRÜN Rapid Response ist ein Vorfall-Antwort-Framework, das sich auf Remote Live-Forensics konzentriert. Entwickelt von Google ermöglicht GRR den Ermittlern, schnell Angriffe auf Tausende von Wirten zu versuchen, forensische Beweise zu sammeln und Analyse remote durchzuführen, ohne physischen Zugriff auf Zielmaschinen zu benötigen. Es bietet eine leistungsfähige Plattform für groß angelegte Zwischenfälle und digitale Forensik-Operationen.
Installation und Inbetriebnahme
Server Installation
```bash
Ubuntu/Debian Installation
sudo apt update sudo apt install python3-pip python3-dev python3-venv sudo apt install mysql-server mysql-client sudo apt install build-essential libmysqlclient-dev
Create GRR user
sudo useradd -r -s /bin/false grr
Install GRR server
pip3 install grr-response-server pip3 install grr-response-client
Alternative: Install from source
git clone https://github.com/google/grr.git cd grr pip3 install -e . ```_
Datenbank Setup
```bash
MySQL Configuration
sudo mysql -u root -p
CREATE DATABASE grr; CREATE USER 'grr'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost'; FLUSH PRIVILEGES; EXIT;
Initialize GRR database
grr_config_updater initialize
Set admin password
grr_config_updater add_user admin --password=adminpassword --admin ```_
Serverkonfiguration
```bash
Generate server configuration
grr_config_updater generate_keys
Configure server settings
grr_config_updater set_var Logging.domain localhost grr_config_updater set_var Logging.path /var/log/grr grr_config_updater set_var AdminUI.bind 0.0.0.0 grr_config_updater set_var AdminUI.port 8000
Database configuration
grr_config_updater set_var Database.implementation mysql grr_config_updater set_var Mysql.host localhost grr_config_updater set_var Mysql.port 3306 grr_config_updater set_var Mysql.database_name grr grr_config_updater set_var Mysql.database_username grr grr_config_updater set_var Mysql.database_password password ```_
Client Installation
```bash
Windows Client Installation
Download GRR client installer
Run as administrator: grr_client_installer.exe
Linux Client Installation
sudo dpkg -i grr-client_*.deb
Manual client installation
sudo python3 -m grr_response_client.client --config=/etc/grr/client.conf
Client configuration
grr_config_updater set_var Client.server_urls http://grr-server:8080/ grr_config_updater set_var Client.control_urls http://grr-server:8080/control ```_
GRR Services starten
Serverkomponenten
```bash
Start GRR frontend
grr_server --component frontend
Start GRR admin UI
grr_server --component admin_ui
Start GRR worker
grr_server --component worker
Start all components
grr_server --component frontend,admin_ui,worker
Using systemd
sudo systemctl start grr-server sudo systemctl enable grr-server sudo systemctl status grr-server ```_
Service Management
```bash
Check service status
sudo systemctl status grr-server sudo systemctl status grr-worker sudo systemctl status grr-admin-ui
View logs
sudo journalctl -u grr-server -f sudo tail -f /var/log/grr/grr.log
Restart services
sudo systemctl restart grr-server sudo systemctl reload grr-server ```_
Web Interface Navigation
Admin UI Zugriff
```bash
Access GRR Admin UI
URL: http://localhost:8000 Username: admin Password: [configured password]
Main Interface Components
Hunt Manager: Create and manage hunts Host Information: Client details and status Flow Management: Individual client flows Artifact Collection: Predefined artifacts File Browser: Remote file system access Timeline: Event timeline analysis ```_
Kundenmanagement
```bash
Client Overview
Clients > All Clients Search clients by hostname, IP, or labels View client status and last seen time Access client details and system information
Client Labels
Add labels for organization Filter clients by labels Bulk operations on labeled clients Custom label management
Client Interrogation
Automatic client discovery System information collection Network configuration details Installed software inventory ```_
Ströme und Artefakte
Grundflüsse
```bash
File Collection
Flow: FileFinder Purpose: Search and collect files Parameters: Path patterns, conditions Output: File metadata and content
Registry Collection (Windows)
Flow: RegistryFinder Purpose: Collect registry keys/values Parameters: Registry paths, value names Output: Registry data and metadata
Process Listing
Flow: ListProcesses Purpose: Enumerate running processes Parameters: None required Output: Process list with details
Network Connections
Flow: Netstat Purpose: List network connections Parameters: Connection types Output: Active network connections
Memory Analysis
Flow: YaraProcessScan Purpose: Scan process memory with YARA Parameters: YARA rules, process list Output: YARA matches in memory ```_
Art der Sammlung
```bash
Predefined Artifacts
WindowsEventLogs: Windows event log files BrowserHistory: Web browser history WindowsRegistryProfiles: User profile registry LinuxAuditLogs: Linux audit log files MacOSApplications: macOS application list
Custom Artifacts
Create custom artifact definitions Define collection parameters Specify output formats Test artifact collection
Artifact Parameters
Source Type: File, Registry, Command, WMI Source Attributes: Paths, conditions, filters Supported OS: Windows, Linux, macOS Labels: Categorization and filtering ```_
Erweiterte Ströme
```bash
Timeline Collection
Flow: TimelineFlow Purpose: Create filesystem timeline Parameters: Root paths, time ranges Output: Comprehensive timeline data
Disk Image Collection
Flow: DiskImageFlow Purpose: Collect disk images Parameters: Device paths, compression Output: Forensic disk images
Memory Collection
Flow: MemoryCollector Purpose: Collect physical memory Parameters: Memory regions, compression Output: Memory dump files
Network Packet Capture
Flow: PacketCapture Purpose: Capture network traffic Parameters: Interface, filters, duration Output: PCAP files for analysis
YARA Scanning
Flow: YaraScan Purpose: Scan files with YARA rules Parameters: YARA rules, target paths Output: YARA rule matches ```_
Hunt Management
Hunts erstellen
```bash
Hunt Creation Process
- Navigate to Hunt Manager
- Click "New Hunt"
- Select hunt type and parameters
- Define client selection criteria
- Configure output settings
- Review and start hunt
Hunt Types
Generic Hunt: Custom flow execution File Hunt: File collection across clients Registry Hunt: Registry data collection YARA Hunt: YARA rule scanning Artifact Hunt: Predefined artifact collection
Client Selection
All Clients: Hunt across all clients Label-based: Target specific labels Rule-based: Complex selection criteria Manual: Specific client list ```_
Hunt Konfiguration
```bash
Hunt Parameters
Hunt Name: Descriptive hunt name Description: Hunt purpose and details Client Limit: Maximum target clients Client Rate: Clients per minute Expiry Time: Hunt expiration Output Plugins: Result processing
Flow Configuration
Flow Type: Selected flow for execution Flow Arguments: Flow-specific parameters Collection Parameters: What to collect Processing Options: How to process results
Advanced Options
Priority: Hunt execution priority Network Bytes Limit: Bandwidth control CPU Limit: Resource constraints Crash Limit: Error tolerance ```_
Jagdüberwachung
```bash
Hunt Status Monitoring
Hunt Progress: Completion percentage Client Status: Success/failure counts Error Analysis: Common error patterns Resource Usage: Network and CPU impact
Hunt Results
Result Overview: Summary statistics Client Results: Per-client outcomes Downloaded Files: Collected artifacts Error Logs: Detailed error information
Hunt Management
Pause Hunt: Temporarily stop execution Resume Hunt: Continue paused hunt Stop Hunt: Permanently end hunt Clone Hunt: Create similar hunt ```_
Forensische Analyse
Dateisystemanalyse
```bash
File Collection and Analysis
Collect files matching patterns Analyze file metadata and content Extract embedded artifacts Perform hash analysis Timeline correlation
Directory Traversal
Browse remote file systems Navigate directory structures View file properties and permissions Download files for analysis Search for specific file types
File Content Analysis
Preview file contents Extract metadata information Perform string searches Analyze file signatures Detect file type mismatches ```_
Registrierungsanalyse (Windows)
```bash
Registry Data Collection
Collect specific registry keys Export registry hives Analyze registry modifications Track configuration changes Identify persistence mechanisms
Common Registry Locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\System\CurrentControlSet\Services HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Registry Analysis Techniques
Compare registry snapshots Identify unauthorized changes Track software installations Analyze user activity Detect malware persistence ```_
Speicheranalyse
```bash
Memory Collection
Collect physical memory dumps Extract process memory Analyze memory artifacts Identify injected code Detect rootkits and malware
Memory Analysis Flows
YaraProcessScan: YARA rule scanning ProcessMemory: Process memory dumps MemoryCollector: Full memory collection Volatility: Memory analysis framework StringSearch: String pattern matching
Memory Artifacts
Running processes and DLLs Network connections Registry keys in memory Cached files and data Encryption keys and passwords ```_
Netzwerkanalyse
```bash
Network Data Collection
Capture network traffic Analyze connection patterns Identify suspicious communications Extract network artifacts Correlate network events
Network Flows
Netstat: Active connections PacketCapture: Traffic capture NetworkInterfaces: Interface info DNSCache: DNS resolution cache ARPCache: ARP table entries
Network Analysis Techniques
Traffic pattern analysis Protocol analysis Malicious domain detection Data exfiltration identification Command and control detection ```_
Automatisierung und Schrift
GRR API Verwendung
```python
Python API Client
from grr_api_client import api
Connect to GRR server
grrapi = api.InitHttp(api_endpoint="http://localhost:8000", auth=("admin", "password"))
Search for clients
clients = grrapi.SearchClients("host:workstation")
Start flow on client
client = grrapi.Client("C.1234567890abcdef") flow = client.CreateFlow(name="FileFinder", args=\\{"paths": ["/etc/passwd"]\\})
Wait for flow completion
flow.WaitUntilDone()
Get flow results
results = flow.ListResults() for result in results: print(result.payload) ```_
Automatisierte Jagd
```python
Create automated hunt
hunt = grrapi.CreateHunt( flow_name="FileFinder", flow_args=\\{"paths": ["/tmp/*.exe"]\\}, client_rule_set=\\{"rules": [\\{"rule_type": "LABEL", "label": \\{"label_names": ["suspicious"]\\}\\}]\\} )
Start hunt
hunt.Start()
Monitor hunt progress
while hunt.data.state != "COMPLETED": time.sleep(30) hunt = grrapi.Hunt(hunt.hunt_id).Get() print(f"Hunt progress: \\{hunt.data.all_clients_count\\}")
Collect hunt results
results = hunt.ListResults() ```_
Kundenspezifische Artefakte
```python
Define custom artifact
artifact_definition = """ name: CustomLogFiles doc: Collect custom application logs sources: - type: FILE attributes: paths: - '/var/log/custom/.log' - '/opt/app/logs/.log' supported_os: [Linux] labels: [Logs, Custom] """
Upload artifact
grrapi.CreateArtifact(artifact_definition)
Use in hunt
hunt = grrapi.CreateHunt( flow_name="ArtifactCollectorFlow", flow_args=\\{"artifact_list": ["CustomLogFiles"]\\} ) ```_
Erweiterte Funktionen
YARA Integration
```bash
YARA Rule Management
Upload YARA rules to GRR Organize rules by categories Version control for rules Test rules before deployment
YARA Scanning Flows
YaraScan: File system scanning YaraProcessScan: Process memory scanning YaraMemoryScan: Full memory scanning
YARA Rule Examples
rule Malware_Detection \\{ strings: $api1 = "CreateRemoteThread" $api2 = "WriteProcessMemory" condition: all of them \\}
rule Suspicious_Network \\{ strings: $url = "http://malicious.com" $ip = "192.168.1.100" condition: any of them \\} ```_
Zeitanalyse
```bash
Timeline Creation
Collect filesystem timestamps Correlate events across sources Generate comprehensive timelines Export timeline data Analyze temporal patterns
Timeline Sources
File system metadata Registry modifications Event log entries Network connections Process execution
Timeline Analysis Techniques
Identify attack progression Correlate related events Detect time stomping Analyze user activity Reconstruct incident timeline ```_
Verteilte Analyse
```bash
Multi-Server Deployment
Frontend servers: Client communication Worker servers: Flow processing Admin UI servers: Web interface Database servers: Data storage
Load Balancing
Distribute client connections Balance processing workload Scale based on demand Monitor server performance
High Availability
Redundant server components Database replication Failover mechanisms Backup and recovery procedures ```_
Sicherheit und beste Praktiken
Zugriffskontrolle
```bash
User Management
Create user accounts Assign appropriate permissions Implement role-based access Monitor user activities Regular access reviews
Authentication
Strong password policies Multi-factor authentication Certificate-based authentication LDAP/Active Directory integration Session management
Authorization
Flow execution permissions Hunt creation rights Client access controls Data download restrictions Administrative privileges ```_
Datenschutz
```bash
Encryption
Client-server communication encryption Data at rest encryption Certificate management Key rotation procedures Secure key storage
Data Retention
Define retention policies Implement data purging Archive important data Comply with regulations Monitor storage usage
Privacy Considerations
Minimize data collection Anonymize sensitive data Implement data masking Regular privacy audits Compliance documentation ```_
Operationelle Sicherheit
```bash
Network Security
Firewall configuration Network segmentation VPN access requirements Intrusion detection Traffic monitoring
System Hardening
Operating system hardening Service configuration Regular security updates Vulnerability management Security monitoring
Incident Response
Incident detection procedures Response team coordination Evidence preservation Communication protocols Lessons learned documentation ```_
Fehlerbehebung
Gemeinsame Themen
```bash
Client Connection Problems
Check network connectivity Verify server URLs Review firewall rules Check certificate validity Examine client logs
Flow Execution Failures
Review flow parameters Check client permissions Verify target paths exist Monitor resource usage Analyze error messages
Performance Issues
Monitor server resources Check database performance Analyze network bandwidth Review client load Optimize hunt parameters
Database Problems
Check database connectivity Monitor database performance Review query optimization Verify data integrity Implement backup procedures ```_
Debugging Techniques
```bash
Log Analysis
Server logs: /var/log/grr/ Client logs: Platform-specific locations Database logs: MySQL/PostgreSQL logs Web server logs: Apache/Nginx logs
Debug Mode
Enable debug logging Increase log verbosity Monitor real-time logs Analyze error patterns Performance profiling
Network Debugging
Packet capture analysis Connection monitoring Bandwidth analysis Latency measurement Protocol debugging ```_
Leistungsoptimierung
```bash
Server Optimization
Increase worker processes Optimize database queries Implement caching Load balancing Resource monitoring
Client Optimization
Adjust flow parameters Implement rate limiting Optimize collection filters Monitor client resources Batch operations
Network Optimization
Compress data transfers Implement bandwidth limits Optimize communication protocols Use local caching Monitor network usage ```_
Ressourcen
- GRR Offizielle Dokumentation
- [GRR GitHub Repository](_LINK_5 -%20[GRR%20Benutzerhandbuch](_LINK_5 -%20GRR%20API%20Dokumentation
- Digitale Forensik mit GRR