DAAM - Dump And Analyse Memory Fixlet
Log In or Register to download the BES file, and more.

1 Votes

Description

DAAM - Dump And Analyse Memory

----------------------------------------------------------------------------------------------------------------------------------------------------------------
This task will dump and analyze the system memory. In addition memory dumps and analysis results can be uploaded to the central BigFix server, for in depth analysis .
--------------------------------------------------------------------------------------------------------------------------------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
--------------------------------------------------------------------------------------------------------------------------------
IMPORTANT DAAM INFORMATION:

Depending on the size of the memory dump, the following BigFix settings have to be adjusted in your infrastructure:
1.
_BESRelay_UploadManager_BufferDirectoryMaxSize
2. _BESRelay_UploadManager_CompressedFileMaxSize
Further settings might have to get adjusted in order to make the upload work in your environment.

Please have a look at the "Upload and Archive Manager" documentation for further details:
http://support.bigfix.com/product/documents/Upload_Archive_Manager_80_101211.pdfd

Please activate the "DAAM - Dump And Analyse Memory" analysis, for showing the analysis results in the BigFix console.

The live tracking of the upload process can be done by monitoring the "__BESClient_UploadManager_Progress " setting via the Query dashboard in the WebUI
Relevance to use: value of setting "__BESClient_UploadManager_Progress" of client as string

The uploaded dumps and analysis files will be stored in the buffer directory (corresponding client subdirectory) of the central BigFix server:
Default path on Windows:
C:\Program Files (x86)\BigFix Enterprise\BES Server\UploadManagerData\BufferDir\sha1

--------------------------------------------------------------------------------------------------------------------------------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
--------------------------------------------------------------------------------------------------------------------------------

Version: 1.0 Beta
Last Change: 2016/12/16 13:37

Suported OS:
- Microsoft Windows x86_64

Tool to dump memory:
- Windows: WinPMem from the Rekall toolkit: http://www.rekall-forensic.com/

Tool to analyse memory:
- Windows: Rekall: http://www.rekall-forensic.com/

Run Command As: System User
Download Size: 22,076.2 KB
--------------------------------------------------------------------------------------------------------------------------------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
--------------------------------------------------------------------------------------------------------------------------------
Author: Raphael Eichinger / IBM
Twitter: https://twitter.com/freebitflow
Youtube: https://www.youtube.com/user/RaphaelEichinger
LinkedIn: http://www.linkedin.com/pub/dir/raphael/eichinger
XING: http://www.xing.com/profile/Raphael_Eichinger
--------------------------------------------------------------------------------------------------------------------------------


Property Details

ID24025
StatusBeta - Preliminary testing ready for more
TitleDAAM - Dump And Analyse Memory Fixlet
DomainBESC
CategoryIT Forensics
Download Size22076289
Source<Unspecified>
Source ID<Unspecified>
Source Severity<Unspecified>
Source Release Date12/31/2016 12:00:00 AM
CVENames<Unspecified>
SANSID<Unspecified>
Keywordsmemory dump, forensics, rekall framework, daam
Is TaskTrue
Added by on 4/12/2017 5:45:52 AM
Last Modified by on 4/12/2017 5:45:52 AM
Counters 700 Views / 7 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 11 fixlets and 1 analsis   * Results in a true/false
Show indented relevance
version of client >= "8.2"
Used in 8 fixlets   * Results in a true/false
Show indented relevance
windows of operating system AND (if( name of operating system starts with "Win" ) then platform id of operating system != 3 else true)
Used in 1 fixlet   * Results in a true/false
Show indented relevance
(if(name of operating system starts with "Win") then free space of drive of client > 4493640 else if ((mac of it) of operating system) then free space of filesystem of folder (pathname of client) > 4493640 else free space of filesystem of client > 4493640)

Actions

Action 1

Script Type BigFix Action Script
// Dump - Analyse - Memory
// Download all specified files
begin prefetch block
    if {name of operating system as lowercase starts with "win"}
     add prefetch item name=468a4fdda212966af167d95b6abdc85c731dfaef sha1=468a4fdda212966af167d95b6abdc85c731dfaef size=2246820 url=https://github.com/google/rekall/releases/download/v1.5.1/winpmem-2.1.post4.exe sha256=0628df33d737562dd59e32d253cb82af68f95baa6b2402ffac745c4ebfad3864
     add prefetch item name=71D1EEE14C1AAF7733A45DAB465D1F04475CEF98 sha1=71d1eee14c1aaf7733a45dab465d1f04475cef98 size=19829469 url=https://github.com/google/rekall/releases/download/1.5.3/Rekall_1.5.3_Furka_x64.exe sha256=ec348e6bf722d5b31c7fc25feaac1d204f0a58d1d135a0082960bc172abf90e6
    endif
end prefetch block

// All SWD files will go into a folder in the clients __BESData folder. This folder gets cleared on every restart.
parameter "baseFolder" = "__Download/"
// Move files into subfolders and unescape file names
move "__Download/468a4fdda212966af167d95b6abdc85c731dfaef" "{parameter "baseFolder"}winpmem-2.1.post4.exe"
move "__Download/71D1EEE14C1AAF7733A45DAB465D1F04475CEF98" "{parameter "baseFolder"}Rekall_1.5.3_Furka_x64.exe"

// Log setup
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "{id of active action}.log"
parameter "mainSWDLogFile" = "SWD_DeploymentResults.log"
parameter "backupSWDLogFile" = "{id of active action}.log.backup"
if {exists file (parameter "logFile") of folder (parameter "mainSWDLogFolder")}
if {exists file (parameter "backupSWDLogFile") of folder (parameter "mainSWDLogFolder")}
if {name of operating system as lowercase starts with "win"}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "mainSWDLogFile"}"
else
wait {"/bin/sh -c %22cat '" & (parameter "mainSWDLogFolder") & "/" & (parameter "logFile") & "' >> '" & (parameter "mainSWDLogFolder") & "/" & (parameter "mainSWDLogFile") & "'%22"}
endif
endif
if {name of operating system as lowercase starts with "win"}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}"
else
wait {"/bin/sh -c %22cat '" & (parameter "mainSWDLogFolder") & "/" & (parameter "logFile") & "' >> '" & (parameter "mainSWDLogFolder") & "/" & (parameter "backupSWDLogFile") & "'%22"}
endif
delete "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
endif

delete __createfile
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"
// START - Paramters for DAAM
parameter "timeStamp" = "{(year of it as string & "-" & month of it as two digits & "-" & day_of_month of it as two digits & "-") of current date & (two digit hour of it as string & "-" & two digit minute of it as string & "-" & two digit second of it as string) of current time_of_day}"
parameter "dumpFolder" = "C:\daam"
parameter "dumpFolderName" = "daam"
parameter "dumpFolderPath" = "{parameter "dumpFolder"}\"
parameter "dumpFile" = "daamdump.aff4"
parameter "dumpFilePath" = "{parameter "dumpFolderPath"}{parameter "dumpFile"}"
// Analyse mode: 1 = Do not upload memory dump and anylysis results to server
// Analyse mode: 2 = Upload memory dump and anylysis results to server
parameter "analyseMode" = "1"
// END - Paramters for DAAM

// Run setup process
delete run.bat
// Use .bat to set working directory to packages root, for setup command.
createfile until _end_
@ECHO OFF
// START DEGUGGING
// END DEBUGGING
// START - archive old dumps
{if exist folder (parameter "dumpFolder") then ("cd" & " " & (parameter "dumpFolder") & "%0d%0a" & "cd .." & "%0d%0a" & "ren" & " " & (parameter "dumpFolder") & " " & (parameter "dumpFolderName") & "_archived_" & (parameter "timeStamp") & "%0d%0a" & "mkdir" & " " & (parameter "dumpFolderName")) else ("cd" & " " & (substring(0,length of parameter "dumpFolder" - length of parameter "dumpFolderName") of parameter "dumpFolder") & "%0d%0a" & "mkdir" & " " & (parameter "dumpFolder"))}
// END - archive old dumps
// START - switch to baseFolder and do the real work
cd "{(pathname of client folder of current site) & "\" & parameter "baseFolder"}"
// END - switch to baseFolder and do the real work
echo %DATE% %TIME% >> "{parameter "logFolder"}/{parameter "logFile"}"
echo Action ID: {id of active action} >> "{parameter "logFolder"}/{parameter "logFile"}"
// START - create and analyse memory dump
echo Command: "winpmem-2.1.post4.exe --output {parameter "dumpFolderPath"}{parameter "dumpFile"}" >> "{parameter "logFolder"}/{parameter "logFile"}"
start /wait winpmem-2.1.post4.exe --output {parameter "dumpFolderPath"}{parameter "dumpFile"} >> "{parameter "logFolder"}\{parameter "logFile"}" 2>&1
echo Command: "Rekall_1.5.3_Furka_x64.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /CLOSEAPPLICATIONS /NORESTARTAPPLICATIONS /NOICONS" >> "{parameter "logFolder"}/{parameter "logFile"}"
start /wait Rekall_1.5.3_Furka_x64.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /CLOSEAPPLICATIONS /NORESTARTAPPLICATIONS /NOICONS >> "{parameter "logFolder"}\{parameter "logFile"}" 2>&1
// END - create and analyse memory dump
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} callbacks > "{parameter "dumpFolderPath"}callbacks.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} cmdscan > "{parameter "dumpFolderPath"}cmdscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} connections > "{parameter "dumpFolderPath"}connections.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} connscan > "{parameter "dumpFolderPath"}connscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} consoles > "{parameter "dumpFolderPath"}consoles.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} devicetree > "{parameter "dumpFolderPath"}devicetree.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} driverscan > "{parameter "dumpFolderPath"}driverscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} dtbscan > "{parameter "dumpFolderPath"}dtbscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} evtlogs > "{parameter "dumpFolderPath"}evtlogs.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} filescan > "{parameter "dumpFolderPath"}filescan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} imageinfo > "{parameter "dumpFolderPath"}imageinfo.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} kdbgscan > "{parameter "dumpFolderPath"}kdbgscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} kpcr > "{parameter "dumpFolderPath"}kpcr.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} modscan > "{parameter "dumpFolderPath"}modscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} modules > "{parameter "dumpFolderPath"}modules.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} mutantscan > "{parameter "dumpFolderPath"}mutantscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} netscan > "{parameter "dumpFolderPath"}netscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} netstat > "{parameter "dumpFolderPath"}netstat.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} object_tree > "{parameter "dumpFolderPath"}object_tree.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} object_types > "{parameter "dumpFolderPath"}object_types.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pagefiles > "{parameter "dumpFolderPath"}pagefiles.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} phys_map > "{parameter "dumpFolderPath"}phys_map.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pool_tracker > "{parameter "dumpFolderPath"}pool_tracker.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pools > "{parameter "dumpFolderPath"}pools.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} procinfo > "{parameter "dumpFolderPath"}procinfo.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pslist > "{parameter "dumpFolderPath"}pslist.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} psscan > "{parameter "dumpFolderPath"}psscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pstree > "{parameter "dumpFolderPath"}pstree.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} psxview > "{parameter "dumpFolderPath"}psxview.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} services > "{parameter "dumpFolderPath"}services.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} simple_certscan > "{parameter "dumpFolderPath"}simple_certscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} sockets > "{parameter "dumpFolderPath"}sockets.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} ssdt > "{parameter "dumpFolderPath"}ssdt.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} svcscan > "{parameter "dumpFolderPath"}svcscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} symlinkscan > "{parameter "dumpFolderPath"}symlinkscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} thrdscan > "{parameter "dumpFolderPath"}thrdscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} threads > "{parameter "dumpFolderPath"}threads.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} timers > "{parameter "dumpFolderPath"}timers.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} tokens > "{parameter "dumpFolderPath"}tokens.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} unloaded_modules > "{parameter "dumpFolderPath"}unloaded_modules.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} vacbs > "{parameter "dumpFolderPath"}vacbs.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} vad > "{parameter "dumpFolderPath"}vad.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} version_modules > "{parameter "dumpFolderPath"}version_modules.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} virt_map > "{parameter "dumpFolderPath"}virt_map.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} win32k_autodetect > "{parameter "dumpFolderPath"}win32k_autodetect.txt"
//set SWDExitCode=%errorlevel%
set SWDExitCode=0
rem
echo Return code: %SWDExitCode% >> "{parameter "logFolder"}/{parameter "logFile"}"
echo. >> "{parameter "logFolder"}/{parameter "logFile"}"
exit %SWDExitCode%
_end_

move __createfile run.bat
// START - execution of bat file
override wait
hidden=true
completion=job
wait run.bat
// STOP - execution of bat file

// Get the return code of the previous action.
parameter "returnCode" = "{exit code of action}"
// Log cleanup
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "mainSWDLogFile"}"
if {exists file (parameter "backupSWDLogFile") of folder (parameter "mainSWDLogFolder")}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}"
delete "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
move "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}" "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
endif

// START log upload
folder create "{parameter "mainSWDLogFolder"}/LogsToBeUploaded"
delete "{parameter "logFolder"}/LogsToBeUploaded/{parameter "logFile"}"
move "{parameter "mainSWDLogFolder"}/{parameter "logFile"}" "{parameter "mainSWDLogFolder"}/LogsToBeUploaded/{parameter "logFile"}"

// START - Upload of memory dump
if {parameter "analyseMode" = "2"}
    setting "_BESClient_ArchiveManager_MaxArchiveSize"="1000000000000" on "{parameter "action issue date" of action}" for client
    setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{parameter "action issue date" of action}" for client
//setting "_BESClient_ArchiveManager_FileSet-SWD"="{parameter "logFolder"}/LogsToBeUploaded/*" on "{parameter "action issue date" of action}" for client
    setting "_BESClient_ArchiveManager_FileSet-DAAM"="{parameter "dumpFolderPath"}*" on "{parameter "action issue date" of action}" for client
    archive now
endif
// END - Upload of memory dump

// Task will now exit.
exit {parameter "returnCode"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Script Type BigFix Action Script
// Dump - Upload - Memory To Server
// Download all specified files
begin prefetch block
    if {name of operating system as lowercase starts with "win"}
     add prefetch item name=468a4fdda212966af167d95b6abdc85c731dfaef sha1=468a4fdda212966af167d95b6abdc85c731dfaef size=2246820 url=https://github.com/google/rekall/releases/download/v1.5.1/winpmem-2.1.post4.exe sha256=0628df33d737562dd59e32d253cb82af68f95baa6b2402ffac745c4ebfad3864
    endif
end prefetch block

// All SWD files will go into a folder in the clients __BESData folder. This folder gets cleared on every restart.
parameter "baseFolder" = "__Download/"
// Move files into subfolders and unescape file names
move "__Download/468a4fdda212966af167d95b6abdc85c731dfaef" "{parameter "baseFolder"}winpmem-2.1.post4.exe"

// Log setup
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "{id of active action}.log"
parameter "mainSWDLogFile" = "SWD_DeploymentResults.log"
parameter "backupSWDLogFile" = "{id of active action}.log.backup"
if {exists file (parameter "logFile") of folder (parameter "mainSWDLogFolder")}
if {exists file (parameter "backupSWDLogFile") of folder (parameter "mainSWDLogFolder")}
if {name of operating system as lowercase starts with "win"}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "mainSWDLogFile"}"
else
wait {"/bin/sh -c %22cat '" & (parameter "mainSWDLogFolder") & "/" & (parameter "logFile") & "' >> '" & (parameter "mainSWDLogFolder") & "/" & (parameter "mainSWDLogFile") & "'%22"}
endif
endif
if {name of operating system as lowercase starts with "win"}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}"
else
wait {"/bin/sh -c %22cat '" & (parameter "mainSWDLogFolder") & "/" & (parameter "logFile") & "' >> '" & (parameter "mainSWDLogFolder") & "/" & (parameter "backupSWDLogFile") & "'%22"}
endif
delete "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
endif

delete __createfile
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"
// START - Paramters for DAAM
parameter "timeStamp" = "{(year of it as string & "-" & month of it as two digits & "-" & day_of_month of it as two digits & "-") of current date & (two digit hour of it as string & "-" & two digit minute of it as string & "-" & two digit second of it as string) of current time_of_day}"
parameter "dumpFolder" = "C:\daam"
parameter "dumpFolderName" = "daam"
parameter "dumpFolderPath" = "{parameter "dumpFolder"}\"
parameter "dumpFile" = "daamdump.aff4"
parameter "dumpFilePath" = "{parameter "dumpFolderPath"}{parameter "dumpFile"}"
// Analyse mode: 1 = Do not upload memory dump and anylysis results to server
// Analyse mode: 2 = Upload memory dump (and anylysis results) to server
parameter "analyseMode" = "2"
// END - Paramters for DAAM

// Run setup process
delete run.bat
// Use .bat to set working directory to packages root, for setup command.
createfile until _end_
@ECHO OFF
// START DEGUGGING
// END DEBUGGING
// START - archive old dumps
{if exist folder (parameter "dumpFolder") then ("cd" & " " & (parameter "dumpFolder") & "%0d%0a" & "cd .." & "%0d%0a" & "ren" & " " & (parameter "dumpFolder") & " " & (parameter "dumpFolderName") & "_archived_" & (parameter "timeStamp") & "%0d%0a" & "mkdir" & " " & (parameter "dumpFolderName")) else ("cd" & " " & (substring(0,length of parameter "dumpFolder" - length of parameter "dumpFolderName") of parameter "dumpFolder") & "%0d%0a" & "mkdir" & " " & (parameter "dumpFolder"))}
// END - archive old dumps
// START - switch to baseFolder and do the real work
cd "{(pathname of client folder of current site) & "\" & parameter "baseFolder"}"
// END - switch to baseFolder and do the real work
echo %DATE% %TIME% >> "{parameter "logFolder"}/{parameter "logFile"}"
echo Action ID: {id of active action} >> "{parameter "logFolder"}/{parameter "logFile"}"
// START - create and analyse memory dump
echo Command: "winpmem-2.1.post4.exe --output {parameter "dumpFolderPath"}{parameter "dumpFile"}" >> "{parameter "logFolder"}/{parameter "logFile"}"
start /wait winpmem-2.1.post4.exe --output {parameter "dumpFolderPath"}{parameter "dumpFile"} >> "{parameter "logFolder"}\{parameter "logFile"}" 2>&1
// END - create and analyse memory dump
//set SWDExitCode=%errorlevel%
set SWDExitCode=0
rem
echo Return code: %SWDExitCode% >> "{parameter "logFolder"}/{parameter "logFile"}"
echo. >> "{parameter "logFolder"}/{parameter "logFile"}"
exit %SWDExitCode%
_end_

move __createfile run.bat
// START - execution of bat file
override wait
hidden=true
completion=job
wait run.bat
// STOP - execution of bat file

// Get the return code of the previous action.
parameter "returnCode" = "{exit code of action}"
// Log cleanup
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "mainSWDLogFile"}"
if {exists file (parameter "backupSWDLogFile") of folder (parameter "mainSWDLogFolder")}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}"
delete "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
move "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}" "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
endif

// START log upload
folder create "{parameter "mainSWDLogFolder"}/LogsToBeUploaded"
delete "{parameter "logFolder"}/LogsToBeUploaded/{parameter "logFile"}"
move "{parameter "mainSWDLogFolder"}/{parameter "logFile"}" "{parameter "mainSWDLogFolder"}/LogsToBeUploaded/{parameter "logFile"}"

// START - Upload of memory dump
if {parameter "analyseMode" = "2"}
    setting "_BESClient_ArchiveManager_MaxArchiveSize"="1000000000000" on "{parameter "action issue date" of action}" for client
    setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{parameter "action issue date" of action}" for client
//setting "_BESClient_ArchiveManager_FileSet-SWD"="{parameter "logFolder"}/LogsToBeUploaded/*" on "{parameter "action issue date" of action}" for client
    setting "_BESClient_ArchiveManager_FileSet-DAAM"="{parameter "dumpFolderPath"}*" on "{parameter "action issue date" of action}" for client
    archive now
endif
// END - Upload of memory dump

// Task will now exit.
exit {parameter "returnCode"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 3

Script Type BigFix Action Script
// Dump - Analyse - Upload - Memory To Server
// Download all specified files
begin prefetch block
    if {name of operating system as lowercase starts with "win"}
     add prefetch item name=468a4fdda212966af167d95b6abdc85c731dfaef sha1=468a4fdda212966af167d95b6abdc85c731dfaef size=2246820 url=https://github.com/google/rekall/releases/download/v1.5.1/winpmem-2.1.post4.exe sha256=0628df33d737562dd59e32d253cb82af68f95baa6b2402ffac745c4ebfad3864
     add prefetch item name=71D1EEE14C1AAF7733A45DAB465D1F04475CEF98 sha1=71d1eee14c1aaf7733a45dab465d1f04475cef98 size=19829469 url=https://github.com/google/rekall/releases/download/1.5.3/Rekall_1.5.3_Furka_x64.exe sha256=ec348e6bf722d5b31c7fc25feaac1d204f0a58d1d135a0082960bc172abf90e6
    endif
end prefetch block

// All SWD files will go into a folder in the clients __BESData folder. This folder gets cleared on every restart.
parameter "baseFolder" = "__Download/"
// Move files into subfolders and unescape file names
move "__Download/468a4fdda212966af167d95b6abdc85c731dfaef" "{parameter "baseFolder"}winpmem-2.1.post4.exe"
move "__Download/71D1EEE14C1AAF7733A45DAB465D1F04475CEF98" "{parameter "baseFolder"}Rekall_1.5.3_Furka_x64.exe"

// Log setup
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "{id of active action}.log"
parameter "mainSWDLogFile" = "SWD_DeploymentResults.log"
parameter "backupSWDLogFile" = "{id of active action}.log.backup"
if {exists file (parameter "logFile") of folder (parameter "mainSWDLogFolder")}
if {exists file (parameter "backupSWDLogFile") of folder (parameter "mainSWDLogFolder")}
if {name of operating system as lowercase starts with "win"}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "mainSWDLogFile"}"
else
wait {"/bin/sh -c %22cat '" & (parameter "mainSWDLogFolder") & "/" & (parameter "logFile") & "' >> '" & (parameter "mainSWDLogFolder") & "/" & (parameter "mainSWDLogFile") & "'%22"}
endif
endif
if {name of operating system as lowercase starts with "win"}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}"
else
wait {"/bin/sh -c %22cat '" & (parameter "mainSWDLogFolder") & "/" & (parameter "logFile") & "' >> '" & (parameter "mainSWDLogFolder") & "/" & (parameter "backupSWDLogFile") & "'%22"}
endif
delete "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
endif

delete __createfile
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"
// START - Paramters for DAAM
parameter "timeStamp" = "{(year of it as string & "-" & month of it as two digits & "-" & day_of_month of it as two digits & "-") of current date & (two digit hour of it as string & "-" & two digit minute of it as string & "-" & two digit second of it as string) of current time_of_day}"
parameter "dumpFolder" = "C:\daam"
parameter "dumpFolderName" = "daam"
parameter "dumpFolderPath" = "{parameter "dumpFolder"}\"
parameter "dumpFile" = "daamdump.aff4"
parameter "dumpFilePath" = "{parameter "dumpFolderPath"}{parameter "dumpFile"}"
// Analyse mode: 1 = Do not upload memory dump and anylysis results to server
// Analyse mode: 2 = Upload memory dump and anylysis results to server
parameter "analyseMode" = "2"
// END - Paramters for DAAM

// Run setup process
delete run.bat
// Use .bat to set working directory to packages root, for setup command.
createfile until _end_
@ECHO OFF
// START DEGUGGING
// END DEBUGGING
// START - archive old dumps
{if exist folder (parameter "dumpFolder") then ("cd" & " " & (parameter "dumpFolder") & "%0d%0a" & "cd .." & "%0d%0a" & "ren" & " " & (parameter "dumpFolder") & " " & (parameter "dumpFolderName") & "_archived_" & (parameter "timeStamp") & "%0d%0a" & "mkdir" & " " & (parameter "dumpFolderName")) else ("cd" & " " & (substring(0,length of parameter "dumpFolder" - length of parameter "dumpFolderName") of parameter "dumpFolder") & "%0d%0a" & "mkdir" & " " & (parameter "dumpFolder"))}
// END - archive old dumps
// START - switch to baseFolder and do the real work
cd "{(pathname of client folder of current site) & "\" & parameter "baseFolder"}"
// END - switch to baseFolder and do the real work
echo %DATE% %TIME% >> "{parameter "logFolder"}/{parameter "logFile"}"
echo Action ID: {id of active action} >> "{parameter "logFolder"}/{parameter "logFile"}"
// START - create and analyse memory dump
echo Command: "winpmem-2.1.post4.exe --output {parameter "dumpFolderPath"}{parameter "dumpFile"}" >> "{parameter "logFolder"}/{parameter "logFile"}"
start /wait winpmem-2.1.post4.exe --output {parameter "dumpFolderPath"}{parameter "dumpFile"} >> "{parameter "logFolder"}\{parameter "logFile"}" 2>&1
echo Command: "Rekall_1.5.3_Furka_x64.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /CLOSEAPPLICATIONS /NORESTARTAPPLICATIONS /NOICONS" >> "{parameter "logFolder"}/{parameter "logFile"}"
start /wait Rekall_1.5.3_Furka_x64.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /CLOSEAPPLICATIONS /NORESTARTAPPLICATIONS /NOICONS >> "{parameter "logFolder"}\{parameter "logFile"}" 2>&1
// END - create and analyse memory dump
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} callbacks > "{parameter "dumpFolderPath"}callbacks.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} cmdscan > "{parameter "dumpFolderPath"}cmdscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} connections > "{parameter "dumpFolderPath"}connections.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} connscan > "{parameter "dumpFolderPath"}connscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} consoles > "{parameter "dumpFolderPath"}consoles.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} devicetree > "{parameter "dumpFolderPath"}devicetree.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} driverscan > "{parameter "dumpFolderPath"}driverscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} dtbscan > "{parameter "dumpFolderPath"}dtbscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} evtlogs > "{parameter "dumpFolderPath"}evtlogs.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} filescan > "{parameter "dumpFolderPath"}filescan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} imageinfo > "{parameter "dumpFolderPath"}imageinfo.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} kdbgscan > "{parameter "dumpFolderPath"}kdbgscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} kpcr > "{parameter "dumpFolderPath"}kpcr.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} modscan > "{parameter "dumpFolderPath"}modscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} modules > "{parameter "dumpFolderPath"}modules.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} mutantscan > "{parameter "dumpFolderPath"}mutantscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} netscan > "{parameter "dumpFolderPath"}netscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} netstat > "{parameter "dumpFolderPath"}netstat.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} object_tree > "{parameter "dumpFolderPath"}object_tree.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} object_types > "{parameter "dumpFolderPath"}object_types.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pagefiles > "{parameter "dumpFolderPath"}pagefiles.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} phys_map > "{parameter "dumpFolderPath"}phys_map.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pool_tracker > "{parameter "dumpFolderPath"}pool_tracker.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pools > "{parameter "dumpFolderPath"}pools.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} procinfo > "{parameter "dumpFolderPath"}procinfo.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pslist > "{parameter "dumpFolderPath"}pslist.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} psscan > "{parameter "dumpFolderPath"}psscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} pstree > "{parameter "dumpFolderPath"}pstree.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} psxview > "{parameter "dumpFolderPath"}psxview.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} services > "{parameter "dumpFolderPath"}services.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} simple_certscan > "{parameter "dumpFolderPath"}simple_certscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} sockets > "{parameter "dumpFolderPath"}sockets.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} ssdt > "{parameter "dumpFolderPath"}ssdt.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} svcscan > "{parameter "dumpFolderPath"}svcscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} symlinkscan > "{parameter "dumpFolderPath"}symlinkscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} thrdscan > "{parameter "dumpFolderPath"}thrdscan.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} threads > "{parameter "dumpFolderPath"}threads.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} timers > "{parameter "dumpFolderPath"}timers.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} tokens > "{parameter "dumpFolderPath"}tokens.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} unloaded_modules > "{parameter "dumpFolderPath"}unloaded_modules.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} vacbs > "{parameter "dumpFolderPath"}vacbs.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} vad > "{parameter "dumpFolderPath"}vad.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} version_modules > "{parameter "dumpFolderPath"}version_modules.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} virt_map > "{parameter "dumpFolderPath"}virt_map.txt"
"C:/Program Files/Rekall/rekal.exe" -f {parameter "dumpFilePath"} win32k_autodetect > "{parameter "dumpFolderPath"}win32k_autodetect.txt"
//set SWDExitCode=%errorlevel%
set SWDExitCode=0
rem
echo Return code: %SWDExitCode% >> "{parameter "logFolder"}/{parameter "logFile"}"
echo. >> "{parameter "logFolder"}/{parameter "logFile"}"
exit %SWDExitCode%
_end_

move __createfile run.bat
// START - execution of bat file
override wait
hidden=true
completion=job
wait run.bat
// STOP - execution of bat file

// Get the return code of the previous action.
parameter "returnCode" = "{exit code of action}"
// Log cleanup
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "mainSWDLogFile"}"
if {exists file (parameter "backupSWDLogFile") of folder (parameter "mainSWDLogFolder")}
waithidden cmd /C type "{parameter "mainSWDLogFolder"}\{parameter "logFile"}" >> "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}"
delete "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
move "{parameter "mainSWDLogFolder"}/{parameter "backupSWDLogFile"}" "{parameter "mainSWDLogFolder"}/{parameter "logFile"}"
endif

// START log upload
folder create "{parameter "mainSWDLogFolder"}/LogsToBeUploaded"
delete "{parameter "logFolder"}/LogsToBeUploaded/{parameter "logFile"}"
move "{parameter "mainSWDLogFolder"}/{parameter "logFile"}" "{parameter "mainSWDLogFolder"}/LogsToBeUploaded/{parameter "logFile"}"

// START - Upload of memory dump
if {parameter "analyseMode" = "2"}
    setting "_BESClient_ArchiveManager_MaxArchiveSize"="1000000000000" on "{parameter "action issue date" of action}" for client
    setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{parameter "action issue date" of action}" for client
//setting "_BESClient_ArchiveManager_FileSet-SWD"="{parameter "logFolder"}/LogsToBeUploaded/*" on "{parameter "action issue date" of action}" for client
    setting "_BESClient_ArchiveManager_FileSet-DAAM"="{parameter "dumpFolderPath"}*" on "{parameter "action issue date" of action}" for client
    archive now
endif
// END - Upload of memory dump

// Task will now exit.
exit {parameter "returnCode"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!