GRR Feuille de chaleur à réponse rapide
GRR L'intervention rapide est un cadre d'intervention en cas d'incident axé sur la médecine légale en direct à distance. Développé par Google, GRR permet aux enquêteurs de trier rapidement les attaques contre des milliers d'hôtes, de recueillir des preuves médico-légales et d'effectuer des analyses à distance sans avoir besoin d'un accès physique aux machines cibles. Il fournit une plate-forme puissante pour les interventions d'incidents à grande échelle et les opérations médico-légales numériques.
Installation et configuration
Installation du serveur
# Ubuntu/Debian Installation
sudo apt update
sudo apt install python3-pip python3-dev python3-venv
sudo apt install mysql-server mysql-client
sudo apt install build-essential libmysqlclient-dev
# Create GRR user
sudo useradd -r -s /bin/false grr
# Install GRR server
pip3 install grr-response-server
pip3 install grr-response-client
# Alternative: Install from source
git clone https://github.com/google/grr.git
cd grr
pip3 install -e .
Configuration de la base de données
# MySQL Configuration
sudo mysql -u root -p
CREATE DATABASE grr;
CREATE USER 'grr'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost';
FLUSH PRIVILEGES;
EXIT;
# Initialize GRR database
grr_config_updater initialize
# Set admin password
grr_config_updater add_user admin --password=adminpassword --admin
```_
### Configuration du serveur
```bash
# Generate server configuration
grr_config_updater generate_keys
# Configure server settings
grr_config_updater set_var Logging.domain localhost
grr_config_updater set_var Logging.path /var/log/grr
grr_config_updater set_var AdminUI.bind 0.0.0.0
grr_config_updater set_var AdminUI.port 8000
# Database configuration
grr_config_updater set_var Database.implementation mysql
grr_config_updater set_var Mysql.host localhost
grr_config_updater set_var Mysql.port 3306
grr_config_updater set_var Mysql.database_name grr
grr_config_updater set_var Mysql.database_username grr
grr_config_updater set_var Mysql.database_password password
```_
### Installation client
```bash
# Windows Client Installation
# Download GRR client installer
# Run as administrator: grr_client_installer.exe
# Linux Client Installation
sudo dpkg -i grr-client_*.deb
# Manual client installation
sudo python3 -m grr_response_client.client --config=/etc/grr/client.conf
# Client configuration
grr_config_updater set_var Client.server_urls http://grr-server:8080/
grr_config_updater set_var Client.control_urls http://grr-server:8080/control
Démarrage des services GRR
Composants du serveur
# Start GRR frontend
grr_server --component frontend
# Start GRR admin UI
grr_server --component admin_ui
# Start GRR worker
grr_server --component worker
# Start all components
grr_server --component frontend,admin_ui,worker
# Using systemd
sudo systemctl start grr-server
sudo systemctl enable grr-server
sudo systemctl status grr-server
Gestion des services
# Check service status
sudo systemctl status grr-server
sudo systemctl status grr-worker
sudo systemctl status grr-admin-ui
# View logs
sudo journalctl -u grr-server -f
sudo tail -f /var/log/grr/grr.log
# Restart services
sudo systemctl restart grr-server
sudo systemctl reload grr-server
Navigation de l'interface Web
Accès à l'interface utilisateur Admin
# Access GRR Admin UI
URL: http://localhost:8000
Username: admin
Password: [configured password]
# Main Interface Components
Hunt Manager: Create and manage hunts
Host Information: Client details and status
Flow Management: Individual client flows
Artifact Collection: Predefined artifacts
File Browser: Remote file system access
Timeline: Event timeline analysis
Gestion des clients
# Client Overview
Clients > All Clients
Search clients by hostname, IP, or labels
View client status and last seen time
Access client details and system information
# Client Labels
Add labels for organization
Filter clients by labels
Bulk operations on labeled clients
Custom label management
# Client Interrogation
Automatic client discovery
System information collection
Network configuration details
Installed software inventory
Flux et artéfacts
Flux de base
# File Collection
Flow: FileFinder
Purpose: Search and collect files
Parameters: Path patterns, conditions
Output: File metadata and content
# Registry Collection (Windows)
Flow: RegistryFinder
Purpose: Collect registry keys/values
Parameters: Registry paths, value names
Output: Registry data and metadata
# Process Listing
Flow: ListProcesses
Purpose: Enumerate running processes
Parameters: None required
Output: Process list with details
# Network Connections
Flow: Netstat
Purpose: List network connections
Parameters: Connection types
Output: Active network connections
# Memory Analysis
Flow: YaraProcessScan
Purpose: Scan process memory with YARA
Parameters: YARA rules, process list
Output: YARA matches in memory
Collection d'artéfacts
# Predefined Artifacts
WindowsEventLogs: Windows event log files
BrowserHistory: Web browser history
WindowsRegistryProfiles: User profile registry
LinuxAuditLogs: Linux audit log files
MacOSApplications: macOS application list
# Custom Artifacts
Create custom artifact definitions
Define collection parameters
Specify output formats
Test artifact collection
# Artifact Parameters
Source Type: File, Registry, Command, WMI
Source Attributes: Paths, conditions, filters
Supported OS: Windows, Linux, macOS
Labels: Categorization and filtering
Flux avancés
# Timeline Collection
Flow: TimelineFlow
Purpose: Create filesystem timeline
Parameters: Root paths, time ranges
Output: Comprehensive timeline data
# Disk Image Collection
Flow: DiskImageFlow
Purpose: Collect disk images
Parameters: Device paths, compression
Output: Forensic disk images
# Memory Collection
Flow: MemoryCollector
Purpose: Collect physical memory
Parameters: Memory regions, compression
Output: Memory dump files
# Network Packet Capture
Flow: PacketCapture
Purpose: Capture network traffic
Parameters: Interface, filters, duration
Output: PCAP files for analysis
# YARA Scanning
Flow: YaraScan
Purpose: Scan files with YARA rules
Parameters: YARA rules, target paths
Output: YARA rule matches
Gestion de la chasse
Création de chasseurs
# Hunt Creation Process
1. Navigate to Hunt Manager
2. Click "New Hunt"
3. Select hunt type and parameters
4. Define client selection criteria
5. Configure output settings
6. Review and start hunt
# Hunt Types
Generic Hunt: Custom flow execution
File Hunt: File collection across clients
Registry Hunt: Registry data collection
YARA Hunt: YARA rule scanning
Artifact Hunt: Predefined artifact collection
# Client Selection
All Clients: Hunt across all clients
Label-based: Target specific labels
Rule-based: Complex selection criteria
Manual: Specific client list
Configuration de chasse
# Hunt Parameters
Hunt Name: Descriptive hunt name
Description: Hunt purpose and details
Client Limit: Maximum target clients
Client Rate: Clients per minute
Expiry Time: Hunt expiration
Output Plugins: Result processing
# Flow Configuration
Flow Type: Selected flow for execution
Flow Arguments: Flow-specific parameters
Collection Parameters: What to collect
Processing Options: How to process results
# Advanced Options
Priority: Hunt execution priority
Network Bytes Limit: Bandwidth control
CPU Limit: Resource constraints
Crash Limit: Error tolerance
Surveillance de la chasse
# Hunt Status Monitoring
Hunt Progress: Completion percentage
Client Status: Success/failure counts
Error Analysis: Common error patterns
Resource Usage: Network and CPU impact
# Hunt Results
Result Overview: Summary statistics
Client Results: Per-client outcomes
Downloaded Files: Collected artifacts
Error Logs: Detailed error information
# Hunt Management
Pause Hunt: Temporarily stop execution
Resume Hunt: Continue paused hunt
Stop Hunt: Permanently end hunt
Clone Hunt: Create similar hunt
Analyse médico-légale
Analyse du système de fichiers
# File Collection and Analysis
Collect files matching patterns
Analyze file metadata and content
Extract embedded artifacts
Perform hash analysis
Timeline correlation
# Directory Traversal
Browse remote file systems
Navigate directory structures
View file properties and permissions
Download files for analysis
Search for specific file types
# File Content Analysis
Preview file contents
Extract metadata information
Perform string searches
Analyze file signatures
Detect file type mismatches
Analyse du registre (Windows)
# Registry Data Collection
Collect specific registry keys
Export registry hives
Analyze registry modifications
Track configuration changes
Identify persistence mechanisms
# Common Registry Locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\System\CurrentControlSet\Services
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
# Registry Analysis Techniques
Compare registry snapshots
Identify unauthorized changes
Track software installations
Analyze user activity
Detect malware persistence
Analyse de la mémoire
# Memory Collection
Collect physical memory dumps
Extract process memory
Analyze memory artifacts
Identify injected code
Detect rootkits and malware
# Memory Analysis Flows
YaraProcessScan: YARA rule scanning
ProcessMemory: Process memory dumps
MemoryCollector: Full memory collection
Volatility: Memory analysis framework
StringSearch: String pattern matching
# Memory Artifacts
Running processes and DLLs
Network connections
Registry keys in memory
Cached files and data
Encryption keys and passwords
Analyse des réseaux
# Network Data Collection
Capture network traffic
Analyze connection patterns
Identify suspicious communications
Extract network artifacts
Correlate network events
# Network Flows
Netstat: Active connections
PacketCapture: Traffic capture
NetworkInterfaces: Interface info
DNSCache: DNS resolution cache
ARPCache: ARP table entries
# Network Analysis Techniques
Traffic pattern analysis
Protocol analysis
Malicious domain detection
Data exfiltration identification
Command and control detection
Automatisation et écriture
API GRR Utilisation
# Python API Client
from grr_api_client import api
# Connect to GRR server
grrapi = api.InitHttp(api_endpoint="http://localhost:8000",
auth=("admin", "password"))
# Search for clients
clients = grrapi.SearchClients("host:workstation")
# Start flow on client
client = grrapi.Client("C.1234567890abcdef")
flow = client.CreateFlow(name="FileFinder",
args=\\\\{"paths": ["/etc/passwd"]\\\\})
# Wait for flow completion
flow.WaitUntilDone()
# Get flow results
results = flow.ListResults()
for result in results:
print(result.payload)
Chasses automatiques
# Create automated hunt
hunt = grrapi.CreateHunt(
flow_name="FileFinder",
flow_args=\\\\{"paths": ["/tmp/*.exe"]\\\\},
client_rule_set=\\\\{"rules": [\\\\{"rule_type": "LABEL",
"label": \\\\{"label_names": ["suspicious"]\\\\}\\\\}]\\\\}
)
# Start hunt
hunt.Start()
# Monitor hunt progress
while hunt.data.state != "COMPLETED":
time.sleep(30)
hunt = grrapi.Hunt(hunt.hunt_id).Get()
print(f"Hunt progress: \\\\{hunt.data.all_clients_count\\\\}")
# Collect hunt results
results = hunt.ListResults()
Artefacts personnalisés
# Define custom artifact
artifact_definition = """
name: CustomLogFiles
doc: Collect custom application logs
sources:
- type: FILE
attributes:
paths:
- '/var/log/custom/*.log'
- '/opt/app/logs/*.log'
supported_os: [Linux]
labels: [Logs, Custom]
"""
# Upload artifact
grrapi.CreateArtifact(artifact_definition)
# Use in hunt
hunt = grrapi.CreateHunt(
flow_name="ArtifactCollectorFlow",
flow_args=\\\\{"artifact_list": ["CustomLogFiles"]\\\\}
)
Caractéristiques avancées
YARA Intégration
# YARA Rule Management
Upload YARA rules to GRR
Organize rules by categories
Version control for rules
Test rules before deployment
# YARA Scanning Flows
YaraScan: File system scanning
YaraProcessScan: Process memory scanning
YaraMemoryScan: Full memory scanning
# YARA Rule Examples
rule Malware_Detection \\\\{
strings:
$api1 = "CreateRemoteThread"
$api2 = "WriteProcessMemory"
condition:
all of them
\\\\}
rule Suspicious_Network \\\\{
strings:
$url = "http://malicious.com"
$ip = "192.168.1.100"
condition:
any of them
\\\\}
Analyse chronologique
# Timeline Creation
Collect filesystem timestamps
Correlate events across sources
Generate comprehensive timelines
Export timeline data
Analyze temporal patterns
# Timeline Sources
File system metadata
Registry modifications
Event log entries
Network connections
Process execution
# Timeline Analysis Techniques
Identify attack progression
Correlate related events
Detect time stomping
Analyze user activity
Reconstruct incident timeline
Analyse distribuée
# Multi-Server Deployment
Frontend servers: Client communication
Worker servers: Flow processing
Admin UI servers: Web interface
Database servers: Data storage
# Load Balancing
Distribute client connections
Balance processing workload
Scale based on demand
Monitor server performance
# High Availability
Redundant server components
Database replication
Failover mechanisms
Backup and recovery procedures
Sécurité et pratiques exemplaires
Contrôle d'accès
# User Management
Create user accounts
Assign appropriate permissions
Implement role-based access
Monitor user activities
Regular access reviews
# Authentication
Strong password policies
Multi-factor authentication
Certificate-based authentication
LDAP/Active Directory integration
Session management
# Authorization
Flow execution permissions
Hunt creation rights
Client access controls
Data download restrictions
Administrative privileges
Protection des données
# Encryption
Client-server communication encryption
Data at rest encryption
Certificate management
Key rotation procedures
Secure key storage
# Data Retention
Define retention policies
Implement data purging
Archive important data
Comply with regulations
Monitor storage usage
# Privacy Considerations
Minimize data collection
Anonymize sensitive data
Implement data masking
Regular privacy audits
Compliance documentation
Sécurité opérationnelle
# Network Security
Firewall configuration
Network segmentation
VPN access requirements
Intrusion detection
Traffic monitoring
# System Hardening
Operating system hardening
Service configuration
Regular security updates
Vulnerability management
Security monitoring
# Incident Response
Incident detection procedures
Response team coordination
Evidence preservation
Communication protocols
Lessons learned documentation
Dépannage
Questions communes
# Client Connection Problems
Check network connectivity
Verify server URLs
Review firewall rules
Check certificate validity
Examine client logs
# Flow Execution Failures
Review flow parameters
Check client permissions
Verify target paths exist
Monitor resource usage
Analyze error messages
# Performance Issues
Monitor server resources
Check database performance
Analyze network bandwidth
Review client load
Optimize hunt parameters
# Database Problems
Check database connectivity
Monitor database performance
Review query optimization
Verify data integrity
Implement backup procedures
Techniques de débogage
# Log Analysis
Server logs: /var/log/grr/
Client logs: Platform-specific locations
Database logs: MySQL/PostgreSQL logs
Web server logs: Apache/Nginx logs
# Debug Mode
Enable debug logging
Increase log verbosity
Monitor real-time logs
Analyze error patterns
Performance profiling
# Network Debugging
Packet capture analysis
Connection monitoring
Bandwidth analysis
Latency measurement
Protocol debugging
Optimisation des performances
# Server Optimization
Increase worker processes
Optimize database queries
Implement caching
Load balancing
Resource monitoring
# Client Optimization
Adjust flow parameters
Implement rate limiting
Optimize collection filters
Monitor client resources
Batch operations
# Network Optimization
Compress data transfers
Implement bandwidth limits
Optimize communication protocols
Use local caching
Monitor network usage
Ressources
- [Documentation officielle du GRR] (LINK_5)
- [GRR GitHub Repository] (LINK_5)
- [Manuel de l'utilisateur du GRR] (LINK_5)
- Documentation de l'API GRR
- [Digital Forensics with GRR] (LINK_5)