GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.
This is my introduction into setting up Google Grr on my home network. Google Grr is a great open-source tool released for incident response. However as you may have noticed the documentation on Google Grr is not that helpful to beginners. Here I hope to clear up any confusion and help beginners get started on their own networks.
Google Grr Terminology
- Flow –
- Hunt –
Google Grr Server Install/Setup
- First grab a copy on Ubuntu Server 16.04 and setup a VM.
- Update on code ONLY works on 16.04.
- sudo apt-get update && sudo apt-get upgrade -y
- wget https://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh
- sudo bash install_script_ubuntu.sh
- Enter “1” for SQLite database
- Accept default location for Database location
- Accept default for hostname unless you need to change it.
- Accept default front-end URL
- Accept default AdminUI URL
- Accept default for e-mails
- I don’t have a mail server :/
- Enter password for admin user
- Enter “y” to install template packeage and repacking clients with new configs
UFW Setup
- sed -i ‘s/IPV6=yes/IPV6=no/g’ /etc/default/ufw
- sudo ufw enable
- sudo ufw allow ssh
- sudo ufw allow https
- sudo ufw allow 8080/tcp
- sudo ufw allow 44449/tcp
- sudo ufw default deny incoming
- sudo ufw reload
Nginx and UFW Install/Setup
- sudo apt-get install nginx -y
- sudo mkdir /etc/nginx/ssl
- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
- sudo vim /etc/nginx/sites-enabled/default
- Add
listen 443 ssl default_server;listen [::]:443 ssl default_server;server_name googlegrr googlegrr.hackinglab.com;
server {ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;#
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://127.0.0.1:8000;
}
}
- save,exit
- sudo service nginx restart
- Browse to “https://<IP of Google Grr Server>”
- Ignore warning about untrusted certificate.
- Prompted to login
Google GRR UI Locations
- Google Grr Clients: Manage Binaries > Executables > <OS> > Installers.
- Google Grr Hunts: Hunt Manager.
- Google Grr Flows: Start Global Flow.
- Google Grr Clients: To show all clients enter “.” in search. To show a specific client enter an ip or hostname.
Samba Share for GoogleGRR Binaries(optional)
- sudo mkdir /srv/GoogleGrr
- sudo apt-get install samba
- sudo vim /etc/samba/smb.conf
- Add to bottom”
[GoogleGrr]
comment = Google Grr Share
path = /srv/GoogleGrr
guest ok = yes
read only = yes
- save,exit
- Add to bottom”
- Copy GRR installers to the share folder.
-
sudo cp grr_*_amd64.deb /srv/GoogleGrr/
-
sudo cp grr_*_amd64.rpm /srv/GoogleGrr/
-
sudo cp GRR_*_amd64.exe /srv/GoogleGrr/
-
- sudo service smbd restart
- tespam
- sudo ufw allow from <Network IP> to any app Samba
Install/Setup Google Client
- smbclient //<google grr server>/<google grr share>
- get “grr_*_amd64.[.deb|.rpm]”
- My example will be centos.
- exit
- sudo yum install grr_*_amd64.rpm
- As you can see below the Google Grr client will automatically call back.
Setup Google Grr Flow
- Get a process list
- Start new flows > Processes > List Processes
- Select under general if you wish to wetch binaries.
- Under the Advance tab select the “Today” button.
- Set the priority for this flow.
- Select “Launch”.
- The notification box in the top right will let you know when a flow is completed.
- Select the notification box to see all the completed flows.
- Select “List Processes” to see the details.
- As you can see above these are the details collected for the bash process.
- Select the hyperlink above to go to the downloaded process.
- As you can see from above we can see the path of the binary, hash of the binary, and more.
- If you scroll up you have the following options which are to download the binary, the text view of the binary, and the hex view of the binary.
Download
Text view
Hex view
- Get network connections
- Start new flows > Network > Netstat.
- Under advance select the priority for this flow.
- Select the “Today” button to start this flow.
- Select “Launch”.
- Manage launched flows to see a flow’s progress.
- When the flow completes this is the output of the results.
Setup Google Grr Hunt
Setup Google Grr Hunt Cron Jobs
- Grab processes and netstat connections from all machines every 24hrs.
- Select “Cron Job Viewer”
- Select “+” to add a job
- Enter “Process Collector” into name.
- Set periodicity to 24hrs.
- Set Lifetime to 1w.
- Processes > ListProcesses.
- I want to capture all binaries for each processes.
- Each binary will be held for a week.
- Accept default for output plugin.
- Select all machines for the hunt.
- Select “Schedule Hunt”.
Setup Google Grr Alerting System
Setup Google Grr Data Retention
Resources
Sources
Hi there,
I have a question about Ubuntu Server 16.04. Can I use the Ubuntu Desktop 16.04 instead of the server?
The server is CLI only, so I thought maybe the desktop system is a better choice. Do you agree? What is your recommendation?
Also, when you Browse to “https://”, do you do this on a separate machine as the server is CLI only?
Looking forward to your response
Frances
Hi Frances,
The biggest difference between Ubuntu Desktop and Ubuntu Server is the GUI. Ubuntu Server as you mentioned is a headless system so you have no GUI. You can use an Ubuntu Desktop to setup Google Grr. However a desktop environment will take up unnecessary resources so it is recommended to install Google Grr on an Ubuntu server and access it via browser from another pc on the network. So from another machine on the network do the following “https://” witout quotes. Have FUN!
Hi again,
Just following up my previous comment/question:
1. when you Browse to “http://”, is it done on a separate machine?
2. For testing purpose, can I install both the GRR server and the GRR client on the same VM?
Thanks and looking forward to you response.
Frances
Hi Frances
Yes it is possible to install the server and client on the same machine. This is not normally recommended due to limitation of resources, especially disc IO. I personally recommend testing this in two separate VM’s to ensure connectivity outside of the server.
Arganas
HI ,
can you help me in understanding why we are using GRR, what is the main purpose ?
What i have understood is it is for memory foreign forensics .
Kindly share your knowledge .
Thank you .
Hey Sangeeta,
Google Grr is an incident response framework that can be utilized for remote IR. Google Grr allows IR teams to investigate an incident on a machine(s) remotely from the Grr web console. For example, we can remotely request the process list, network connection list, a memory dump, or do memory analysis on a machine. The awesome thing about Google grr is rekall is installed on all agents so you can run rekall plugins on a remote box. The benefit of this is if a machine has a rootkit on it. Rootkits are known to hide themselves from tools such as netstat and ps. However, this security concern is mitigated with the use of tools like rekall that analyze the memory of a machine.
Additionally, you can give Google Grr indicators of compromise to look for on a fleet(one or more) machines. You can schedule certain types of tasks to be run on an interval to return actionable data about a set of machines. Google Grr is an open-source product being used currently by Google. This ensures that Google is going to keep providing updates and features to the framework. Furthermore, the creators of the framework aren’t trying to re-invent the analysis wheel. Meaning they aren’t trying to create or replace existing forensic tools. Pre-existing tools being used by the IR community are built into Google Grr or the data received can be used by these tools.
This is actually a great TL/DR to summarize GRR! Merci 🙂
Great write-up, thanks!!!
Could GRR be used to push out custom script to endpoints and execute them. Eg. a bash script to gather certain data which is not part of the Artefacts ?
Hey Prats,
I don’t know the answer to that off the top of my head unfortunately. But Google Grr is based off of Python and I have been told it is made to be customizable. Have fun and lemme know what you find.
I know this is pretty late, but the answer to this question is yes, you can 🙂 GRR has the ability to push “Emergency Binaries and Code”, so in short you can deploy binaries over GRR or push out arbitrary Python code that will be executed:
https://grr-doc.readthedocs.io/en/latest/investigating-with-grr/pushing-code.html#emergency-pushing-of-code-and-binaries
So idk if it’s because of an update or what has happened, but your guide no longer works.
You have to go get the DEB release now. So I go and do that, it’s sets up fine until I get to nginx.
I’ve tried it twice now. It simply won’t work. I’ll go try it again and post my errors. Once I install nginx and edit the /etc/nginx/sites-enabled/default with your config, nginx no longer starts.
I’ve googled the hell out of this and gotten nowhere, if you off the top of your head please let me know what to do.
I’ll be back in a few with the errors.
Thanks for your help!
Hey Archer,
Without a screenshot/message block of the error I cannot provide any potential solutions. However, Google is probably still your best option to resolve the issue :).
Why we don’t just use RDP or some kind of remote desktop instead of this limited tasks software?
Hey 123,
This is a great question! RDP specifically requires the sys admin/security personnel to initiate a connection to the machine with RDP. If the machine is behind a NAT/firewall device device, you probably won’t be able to access the machine without proper port forwarding. Since, Google GRR is an agent that runs on the machine behind the NAT/firewall device, it can initiate a connection outbound to your server for new tasks. TLDR: Ingress vs. egress.
Furthermore, RDP is an intensive network application, so your user may be in a remote location(overseas) with a limited connection. Google GRR uses HTTP which is a light protocol so it can perform better on limited network connections.
Finally, I would recommend watching this Youtube on Google GRR for a more comprehensive answer.
Youtube video on Google Grr: https://www.youtube.com/watch?v=ren6QSvwFvg