Sunday, August 11, 2019

CyLR — Live Response Collection tool

CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
Windows exe found at:



https://github.com/orlikoski/CyLR/releases

and

https://github.com/orlikoski/CyLR





CyLR was first brought to my attention from the SANS "FOR500: Windows Forensic Analysis"
course.
Used for collection and artifact processing.

FOR ARTIFACTS COLLECTION
This tool looks in:

Windows Default
  • System Level Artifacts
    • %SYSTEMROOT%\SchedLgU.Txt
    • %SYSTEMROOT%\Tasks
    • %SYSTEMROOT%\Prefetch
    • %SYSTEMROOT%\Appcompat\Programs
    • %SYSTEMROOT%\System32\drivers\etc\hosts
    • %SYSTEMROOT%\System32\winevt\logs
    • %SYSTEMROOT%\System32\Tasks
    • %SYSTEMROOT%\System32\LogFiles\W3SVC1
    • %SYSTEMROOT%\System32\config\"REGISTRY HIVES"
    • %PROGRAMDATA%
    • %SystemDrive%$Recycle.Bin
    • %SystemDrive%$LogFile
    • %SystemDrive%$MFT
  • Artifacts For All Users
    • {user.ProfilePath}\NTUSER.DAT and \AppData

*Among other places and other locations for linux and macOS shown on the github page





Simulating Collecting on Remote System

The above diagram simulates as an admin remoting into a Desktop, running CyLR and sending the results to a SFTP server for retrieval






























1. SETTING UP THE SFTP SERVICE IN WINDOWS

Open Start menu.
Type Apps.
Click on Apps & features.
Under “Apps & features,” click the Manage optional features link. 
Apps & features settings.
Click the Add a feature button. Manage optional features on Windows 10.
Select the OpenSSH Server option.
Select Install


May need to start service 

 Control Panel > System and Security > Administrative Tools and open Services.
Start OpenSSH SSH Server service


May need to Set up Firewall exceptions
Allow incoming connections to SSH server in Windows Firewall:
  • Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator: 
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -DirectionInbound -Protocol TCP -Action Allow -LocalPort 22
  • or go to Control Panel > System and Security > Windows Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 22.


May need to generate a keypair
 In WinSCP can select advanced settings > Authenitcation > Tools Generate New Key Pair with PuTTYgen
Or can use OpenSSH-Win64 "ssh-keygen.exe"




2.  COPYING CyLR.exe TO REMOTE DESKTOP

$s = New-PSSession -Computername DESKTOP-REMOTE -Credential Win10
s$ is the variable.  For the creation of a powershell session to the remote host.  Ideally using admin credentials




Prompt for credentials



3. COPYING CyLR to remote host in session with powershell:


Copy-Item –Path C:\USERS\Win10\Desktop\CyLR_win-x64\CyLR.exe –Destination 'C:\' ToSession $s

Using the previously created "$s" session to copy to the C: drive of the target







4. Enter session with powershell:
Enter-PSSession -Session $s
5. Run CyLR and point to SFTP server's IP address:
C:\CyLR.exe -u SFTP_Server -p password -s 192.168.28.128
Using the parameter to point to the SFTP server.  *Not recommended to use "password" as password






RUNNING


 
 






5. Verifying results on the SFTP server





























RESULTS include:





 

 
Contains "NTUSER.dat registry hive for each user








In conclusion:
I think CyLR is a neat tool and can potentially be used by a IR shop to collect relative artifacts.  May try it on a Mac and/or Linux host and see what it retrieves.

Also looking to try out Eric Zimmerman's KAPE(Kroll Artifact Parser and Extractor) tool to simulate a remote collection.
https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape


--Bryan

Referenced:

Sectechno. (2018, October 10). CyLR - Live Response Collection Tool. Retrieved from http://www.sectechno.com/cylr-live-response-collection-tool/

Orlikoski. (2019, March 18). Orlikoski/CyLR. Retrieved from https://github.com/orlikoski/CyLR









No comments:

Post a Comment