IR 340: GRR Rapid Response (25 pts)

What You Need for this Project

Purpose

To install, configure, and apply GRR Rapid Response for common IR tasks.

Security Warning

The GRR server has administrative access to every client, and is therefore a high-value target for attackers.

In this project, we perform a sloppy installation to learn how the product works. In a real deployment, the server should be concealed behind a proxy, and secured in other ways, as explained here.


Task 1: Installing GRR Server

Installing MySQL

On your Linux server, in an SSH session, execute these commands:
sudo apt update
sudo apt install mysql-server -y
sudo mysql_secure_installation
When answering the questions, make these choices:

Creating the Database

On your Linux server, in an SSH session, execute this command:
sudo mysql -u root -p
Enter the password you chose, perhaps P@ssw0rd

Execute these commands:

SET GLOBAL max_allowed_packet=41943040;
CREATE USER 'grr'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE grr;
GRANT ALL ON grr.* TO 'grr'@'localhost';
flush privileges;
exit;

Installing GRR Server

On your Linux server, in an SSH session, execute these commands:
wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.4.0-1_amd64.deb

sudo apt install -y ./grr-server_3.4.0-1_amd64.deb
It asks some questions. Accept the defaults for everythng except MySQL password, IP, and new password for 'admin'

On your Linux server, in an SSH session, execute this command:

systemctl status grr-server
Your server should be "active".

Opening the Firewall

Make sure your server's firewall, such as Google Cloud Firewall, allows tcp 8000 traffic.

Viewing the Management Page

In a Web browser, go to this URL, adjusting the IP address to the IP address of your GRR server:

http://35.202.126.83:8000

Log in with a username of admin and the admin password you chose earlier. The GRR management page appears, as shown below.

Troubleshooting: Resetting the Password

To reset the admin password, in an SSH session, execute this command:
sudo grr_config_updater update_user admin --password NewPassword


Task 2: Installing a Linux Client

Deploying a GRR Client

First, we'll put a client on the Linux GRR server itself.

In the GRR management page, on the left side, click Binaries, as shown below.

Download the Linux .deb file.

Upload it to your Linux server.

In an SSH session, execute this command:

sudo dpkg -i grr_3.4.0.1_amd64.deb
After the installation, in the GRR management page, hit Enter in the search box in the top right corner.

Your client appears, as shown below.


Task 3: Installing a Windows Client

In the GRR management page, on the left side, click Binaries.

Download the Windows client.

Run it on your Windows system.

After the installation, in the GRR management page, hit Enter in the search box in the top right corner.

Your second client appears, as shown below.

In the Subject line, click the long number on the second line.

More information about the client appears. Click the Interrogate button, as shown below.

On the right side, click the "Full details" button.

Flag IR 340.1: Client Name (5 pts)

The flag is the Client name, covered by a green rectangle in the image below.


Task 4: Virtual File System

With the Windows host selected, on the left side, click "Browse Virtual Filesystem".

Expand the fs container and click the os container.

In the center of the screen, click the icon with two curved arrows but no R, which refreshes the current directory.

The Windows volumes appear, including C:, as shown below.

Exploring the Registry

Expand containers in the Registry, as shown below.

Flag IR 340.2: Version (5 pts)

The flag is covered by a green rectangle in the image below.


Task 5: Flows

Flows run on the GRR server and call client actions. The client performs the actions asynchronously and responds to the server when it's ready.

With the Windows host selected, on the left side, click "Manage launched flows".

The flows that have been used so far appear, as shown below.

Creating an Artifact on the Client

On your Windows client, launch Notepad and type in TOPSECRET, as shown below.

Don't save the file.

Creating New Flows

In the "Host information" page, on the left side, click "Start new flows".

Expand the containers to see the flows available, as shown below.

Dumping Process Memory

In the Memory section, click "Process Dump".

On the right side, in the "Process regex" box, enter notepad, as shown in the image above.

Note that the process name must be in lowercase!

Click the green Launch button.

On the left side, click "Manage launched flows".

Click the DumpProcessMemory flow. Click the Log tab.

Flag IR 340.3: Message (5 pts)

The flag is covered by a green rectangle in the image below.


Task 6: Hunts

Hunts are Flows that can run on many machines, so a GRR server can look for Indicators of Compromise on them efficiently.

Creating an Artifact on the Windows Client

On your Windows client, launch a Web browser and open this page, as shown below.

http://ad.samsclass.info/refresh.htm

This creates a persistent connection to my server.

Creating an Artifact on the Linux Server

On your Linux server, in an SSH session, execute these commands:
sudo apt update
sudo apt install netcat -y
nc ad.samsclass.info 80
Leave nc runnning, as shown below.

This creates a persistent connection to my server.

Creating a Hunt

In the GRR management page, on the left side, Hunts.

Click the green plus-sign to create a new Hunt.

In the "New Hunt - What to run?" page, expand Network and click Netstat, as shown below.

Then click Next.

In the "New Hunt - Hunt parameters" page, enter a description, as shown below.

Then click Next.

In the "New Hunt - How to process results" page, click Next.

In the "New Hunt - Where to run?" page, click Next.

In the "New Hunt - Review" page, click "Create hunt".

In the "New Hunt - Result" page, click Done. The new Hunt appears in the list, as shown below.

Click the hunt and click the green arrow to start it.

Click Proceed.

Viewing the Results

In the Hunts page, at the bottom, click the Results tab, as shown below.

Flag IR 340.4: Filtered Results (10 pts)

Scroll down to the Filter box. Filter for this IP: 159.203.238.50

The flag is covered by a green rectangle in the image below.

References

Docs -- GRR on GitHub

Posted 6-18-2020