Zum Inhalt

GRÜN Schnelle Antwort Cheatsheet

generieren

GRÜN Rapid Response ist ein Vorfall-Antwort-Framework, das sich auf Remote Live-Forensics konzentriert. Entwickelt von Google ermöglicht GRR den Ermittlern, schnell Angriffe auf Tausende von Wirten zu versuchen, forensische Beweise zu sammeln und Analyse remote durchzuführen, ohne physischen Zugriff auf Zielmaschinen zu benötigen. Es bietet eine leistungsfähige Plattform für groß angelegte Zwischenfälle und digitale Forensik-Operationen.

Installation und Inbetriebnahme

Server Installation

```bash

Ubuntu/Debian Installation

sudo apt update sudo apt install python3-pip python3-dev python3-venv sudo apt install mysql-server mysql-client sudo apt install build-essential libmysqlclient-dev

Create GRR user

sudo useradd -r -s /bin/false grr

Install GRR server

pip3 install grr-response-server pip3 install grr-response-client

Alternative: Install from source

git clone https://github.com/google/grr.git cd grr pip3 install -e . ```_

Datenbank Setup

```bash

MySQL Configuration

sudo mysql -u root -p

CREATE DATABASE grr; CREATE USER 'grr'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost'; FLUSH PRIVILEGES; EXIT;

Initialize GRR database

grr_config_updater initialize

Set admin password

grr_config_updater add_user admin --password=adminpassword --admin ```_

Serverkonfiguration

```bash

Generate server configuration

grr_config_updater generate_keys

Configure server settings

grr_config_updater set_var Logging.domain localhost grr_config_updater set_var Logging.path /var/log/grr grr_config_updater set_var AdminUI.bind 0.0.0.0 grr_config_updater set_var AdminUI.port 8000

Database configuration

grr_config_updater set_var Database.implementation mysql grr_config_updater set_var Mysql.host localhost grr_config_updater set_var Mysql.port 3306 grr_config_updater set_var Mysql.database_name grr grr_config_updater set_var Mysql.database_username grr grr_config_updater set_var Mysql.database_password password ```_

Client Installation

```bash

Windows Client Installation

Download GRR client installer

Run as administrator: grr_client_installer.exe

Linux Client Installation

sudo dpkg -i grr-client_*.deb

Manual client installation

sudo python3 -m grr_response_client.client --config=/etc/grr/client.conf

Client configuration

grr_config_updater set_var Client.server_urls http://grr-server:8080/ grr_config_updater set_var Client.control_urls http://grr-server:8080/control ```_

GRR Services starten

Serverkomponenten

```bash

Start GRR frontend

grr_server --component frontend

Start GRR admin UI

grr_server --component admin_ui

Start GRR worker

grr_server --component worker

Start all components

grr_server --component frontend,admin_ui,worker

Using systemd

sudo systemctl start grr-server sudo systemctl enable grr-server sudo systemctl status grr-server ```_

Service Management

```bash

Check service status

sudo systemctl status grr-server sudo systemctl status grr-worker sudo systemctl status grr-admin-ui

View logs

sudo journalctl -u grr-server -f sudo tail -f /var/log/grr/grr.log

Restart services

sudo systemctl restart grr-server sudo systemctl reload grr-server ```_

Web Interface Navigation

Admin UI Zugriff

```bash

Access GRR Admin UI

URL: http://localhost:8000 Username: admin Password: [configured password]

Main Interface Components

Hunt Manager: Create and manage hunts Host Information: Client details and status Flow Management: Individual client flows Artifact Collection: Predefined artifacts File Browser: Remote file system access Timeline: Event timeline analysis ```_

Kundenmanagement

```bash

Client Overview

Clients > All Clients Search clients by hostname, IP, or labels View client status and last seen time Access client details and system information

Client Labels

Add labels for organization Filter clients by labels Bulk operations on labeled clients Custom label management

Client Interrogation

Automatic client discovery System information collection Network configuration details Installed software inventory ```_

Ströme und Artefakte

Grundflüsse

```bash

File Collection

Flow: FileFinder Purpose: Search and collect files Parameters: Path patterns, conditions Output: File metadata and content

Registry Collection (Windows)

Flow: RegistryFinder Purpose: Collect registry keys/values Parameters: Registry paths, value names Output: Registry data and metadata

Process Listing

Flow: ListProcesses Purpose: Enumerate running processes Parameters: None required Output: Process list with details

Network Connections

Flow: Netstat Purpose: List network connections Parameters: Connection types Output: Active network connections

Memory Analysis

Flow: YaraProcessScan Purpose: Scan process memory with YARA Parameters: YARA rules, process list Output: YARA matches in memory ```_

Art der Sammlung

```bash

Predefined Artifacts

WindowsEventLogs: Windows event log files BrowserHistory: Web browser history WindowsRegistryProfiles: User profile registry LinuxAuditLogs: Linux audit log files MacOSApplications: macOS application list

Custom Artifacts

Create custom artifact definitions Define collection parameters Specify output formats Test artifact collection

Artifact Parameters

Source Type: File, Registry, Command, WMI Source Attributes: Paths, conditions, filters Supported OS: Windows, Linux, macOS Labels: Categorization and filtering ```_

Erweiterte Ströme

```bash

Timeline Collection

Flow: TimelineFlow Purpose: Create filesystem timeline Parameters: Root paths, time ranges Output: Comprehensive timeline data

Disk Image Collection

Flow: DiskImageFlow Purpose: Collect disk images Parameters: Device paths, compression Output: Forensic disk images

Memory Collection

Flow: MemoryCollector Purpose: Collect physical memory Parameters: Memory regions, compression Output: Memory dump files

Network Packet Capture

Flow: PacketCapture Purpose: Capture network traffic Parameters: Interface, filters, duration Output: PCAP files for analysis

YARA Scanning

Flow: YaraScan Purpose: Scan files with YARA rules Parameters: YARA rules, target paths Output: YARA rule matches ```_

Hunt Management

Hunts erstellen

```bash

Hunt Creation Process

  1. Navigate to Hunt Manager
  2. Click "New Hunt"
  3. Select hunt type and parameters
  4. Define client selection criteria
  5. Configure output settings
  6. Review and start hunt

Hunt Types

Generic Hunt: Custom flow execution File Hunt: File collection across clients Registry Hunt: Registry data collection YARA Hunt: YARA rule scanning Artifact Hunt: Predefined artifact collection

Client Selection

All Clients: Hunt across all clients Label-based: Target specific labels Rule-based: Complex selection criteria Manual: Specific client list ```_

Hunt Konfiguration

```bash

Hunt Parameters

Hunt Name: Descriptive hunt name Description: Hunt purpose and details Client Limit: Maximum target clients Client Rate: Clients per minute Expiry Time: Hunt expiration Output Plugins: Result processing

Flow Configuration

Flow Type: Selected flow for execution Flow Arguments: Flow-specific parameters Collection Parameters: What to collect Processing Options: How to process results

Advanced Options

Priority: Hunt execution priority Network Bytes Limit: Bandwidth control CPU Limit: Resource constraints Crash Limit: Error tolerance ```_

Jagdüberwachung

```bash

Hunt Status Monitoring

Hunt Progress: Completion percentage Client Status: Success/failure counts Error Analysis: Common error patterns Resource Usage: Network and CPU impact

Hunt Results

Result Overview: Summary statistics Client Results: Per-client outcomes Downloaded Files: Collected artifacts Error Logs: Detailed error information

Hunt Management

Pause Hunt: Temporarily stop execution Resume Hunt: Continue paused hunt Stop Hunt: Permanently end hunt Clone Hunt: Create similar hunt ```_

Forensische Analyse

Dateisystemanalyse

```bash

File Collection and Analysis

Collect files matching patterns Analyze file metadata and content Extract embedded artifacts Perform hash analysis Timeline correlation

Directory Traversal

Browse remote file systems Navigate directory structures View file properties and permissions Download files for analysis Search for specific file types

File Content Analysis

Preview file contents Extract metadata information Perform string searches Analyze file signatures Detect file type mismatches ```_

Registrierungsanalyse (Windows)

```bash

Registry Data Collection

Collect specific registry keys Export registry hives Analyze registry modifications Track configuration changes Identify persistence mechanisms

Common Registry Locations

HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\System\CurrentControlSet\Services HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Registry Analysis Techniques

Compare registry snapshots Identify unauthorized changes Track software installations Analyze user activity Detect malware persistence ```_

Speicheranalyse

```bash

Memory Collection

Collect physical memory dumps Extract process memory Analyze memory artifacts Identify injected code Detect rootkits and malware

Memory Analysis Flows

YaraProcessScan: YARA rule scanning ProcessMemory: Process memory dumps MemoryCollector: Full memory collection Volatility: Memory analysis framework StringSearch: String pattern matching

Memory Artifacts

Running processes and DLLs Network connections Registry keys in memory Cached files and data Encryption keys and passwords ```_

Netzwerkanalyse

```bash

Network Data Collection

Capture network traffic Analyze connection patterns Identify suspicious communications Extract network artifacts Correlate network events

Network Flows

Netstat: Active connections PacketCapture: Traffic capture NetworkInterfaces: Interface info DNSCache: DNS resolution cache ARPCache: ARP table entries

Network Analysis Techniques

Traffic pattern analysis Protocol analysis Malicious domain detection Data exfiltration identification Command and control detection ```_

Automatisierung und Schrift

GRR API Verwendung

```python

Python API Client

from grr_api_client import api

Connect to GRR server

grrapi = api.InitHttp(api_endpoint="http://localhost:8000", auth=("admin", "password"))

Search for clients

clients = grrapi.SearchClients("host:workstation")

Start flow on client

client = grrapi.Client("C.1234567890abcdef") flow = client.CreateFlow(name="FileFinder", args=\\{"paths": ["/etc/passwd"]\\})

Wait for flow completion

flow.WaitUntilDone()

Get flow results

results = flow.ListResults() for result in results: print(result.payload) ```_

Automatisierte Jagd

```python

Create automated hunt

hunt = grrapi.CreateHunt( flow_name="FileFinder", flow_args=\\{"paths": ["/tmp/*.exe"]\\}, client_rule_set=\\{"rules": [\\{"rule_type": "LABEL", "label": \\{"label_names": ["suspicious"]\\}\\}]\\} )

Start hunt

hunt.Start()

Monitor hunt progress

while hunt.data.state != "COMPLETED": time.sleep(30) hunt = grrapi.Hunt(hunt.hunt_id).Get() print(f"Hunt progress: \\{hunt.data.all_clients_count\\}")

Collect hunt results

results = hunt.ListResults() ```_

Kundenspezifische Artefakte

```python

Define custom artifact

artifact_definition = """ name: CustomLogFiles doc: Collect custom application logs sources: - type: FILE attributes: paths: - '/var/log/custom/.log' - '/opt/app/logs/.log' supported_os: [Linux] labels: [Logs, Custom] """

Upload artifact

grrapi.CreateArtifact(artifact_definition)

Use in hunt

hunt = grrapi.CreateHunt( flow_name="ArtifactCollectorFlow", flow_args=\\{"artifact_list": ["CustomLogFiles"]\\} ) ```_

Erweiterte Funktionen

YARA Integration

```bash

YARA Rule Management

Upload YARA rules to GRR Organize rules by categories Version control for rules Test rules before deployment

YARA Scanning Flows

YaraScan: File system scanning YaraProcessScan: Process memory scanning YaraMemoryScan: Full memory scanning

YARA Rule Examples

rule Malware_Detection \\{ strings: $api1 = "CreateRemoteThread" $api2 = "WriteProcessMemory" condition: all of them \\}

rule Suspicious_Network \\{ strings: $url = "http://malicious.com" $ip = "192.168.1.100" condition: any of them \\} ```_

Zeitanalyse

```bash

Timeline Creation

Collect filesystem timestamps Correlate events across sources Generate comprehensive timelines Export timeline data Analyze temporal patterns

Timeline Sources

File system metadata Registry modifications Event log entries Network connections Process execution

Timeline Analysis Techniques

Identify attack progression Correlate related events Detect time stomping Analyze user activity Reconstruct incident timeline ```_

Verteilte Analyse

```bash

Multi-Server Deployment

Frontend servers: Client communication Worker servers: Flow processing Admin UI servers: Web interface Database servers: Data storage

Load Balancing

Distribute client connections Balance processing workload Scale based on demand Monitor server performance

High Availability

Redundant server components Database replication Failover mechanisms Backup and recovery procedures ```_

Sicherheit und beste Praktiken

Zugriffskontrolle

```bash

User Management

Create user accounts Assign appropriate permissions Implement role-based access Monitor user activities Regular access reviews

Authentication

Strong password policies Multi-factor authentication Certificate-based authentication LDAP/Active Directory integration Session management

Authorization

Flow execution permissions Hunt creation rights Client access controls Data download restrictions Administrative privileges ```_

Datenschutz

```bash

Encryption

Client-server communication encryption Data at rest encryption Certificate management Key rotation procedures Secure key storage

Data Retention

Define retention policies Implement data purging Archive important data Comply with regulations Monitor storage usage

Privacy Considerations

Minimize data collection Anonymize sensitive data Implement data masking Regular privacy audits Compliance documentation ```_

Operationelle Sicherheit

```bash

Network Security

Firewall configuration Network segmentation VPN access requirements Intrusion detection Traffic monitoring

System Hardening

Operating system hardening Service configuration Regular security updates Vulnerability management Security monitoring

Incident Response

Incident detection procedures Response team coordination Evidence preservation Communication protocols Lessons learned documentation ```_

Fehlerbehebung

Gemeinsame Themen

```bash

Client Connection Problems

Check network connectivity Verify server URLs Review firewall rules Check certificate validity Examine client logs

Flow Execution Failures

Review flow parameters Check client permissions Verify target paths exist Monitor resource usage Analyze error messages

Performance Issues

Monitor server resources Check database performance Analyze network bandwidth Review client load Optimize hunt parameters

Database Problems

Check database connectivity Monitor database performance Review query optimization Verify data integrity Implement backup procedures ```_

Debugging Techniques

```bash

Log Analysis

Server logs: /var/log/grr/ Client logs: Platform-specific locations Database logs: MySQL/PostgreSQL logs Web server logs: Apache/Nginx logs

Debug Mode

Enable debug logging Increase log verbosity Monitor real-time logs Analyze error patterns Performance profiling

Network Debugging

Packet capture analysis Connection monitoring Bandwidth analysis Latency measurement Protocol debugging ```_

Leistungsoptimierung

```bash

Server Optimization

Increase worker processes Optimize database queries Implement caching Load balancing Resource monitoring

Client Optimization

Adjust flow parameters Implement rate limiting Optimize collection filters Monitor client resources Batch operations

Network Optimization

Compress data transfers Implement bandwidth limits Optimize communication protocols Use local caching Monitor network usage ```_

Ressourcen