Andrew Hollister
Director of LogRhythm Labs (EMEA);

SmartResponse Shell

LogRhythm’s SmartResponse™ is a powerful and flexible technology that has been further extended in LogRhythm 7 to allow actions to be executed on System Monitor Agents. These actions can be launched when an individual alarm is generated, on demand, or at a scheduled time.

In this post, I want to focus on using the new SmartResponse on-demand feature—specifically using it to run any script or command at an Agent.

For example, imagine that you are investigating a possible breach and you want to check the firewall configuration on a specific endpoint. Or maybe you want to check up on the contents of a folder. Or you might want to run any other command actually on the endpoint that you are investigating.

Typically, LogRhythm SmartResponse plug-ins are developed to achieve a specific action. For example, log off a user or add an IP address to a firewall rule.

However, it turns out that the SmartResponse framework is flexible enough to provide the option to run more or less any script or command of your choosing using the existing communications channel between the LogRhythm Platform and System Monitor Agents.

Creating the SmartResponse

SmartResponse plug-ins usually consist of an actions.xml file that describes the information being passed from LogRhythm to the process being launched—plus a PowerShell script that is going to be launched with some parameters populated by the information passed from LogRhythm.

Typically, a SmartResponse will launch a PowerShell script using the command line parameter “-file.” So for example powershell.exe - File Logoff.ps1

However, PowerShell is a very flexible scripting engine, and amongst other things, it will let you run BASSE64 encoded commands directly—without needing them to exist in a file on a disk. You can do this with the -EncodedCommand switch.

The reason for using BASE64 encoding is because passing a command string to PowerShell can become difficult with single and double quotation marks and other special characters, and using BASE64 removes this hurdle.

You’ll then change the switch to run a BASE64-encoded command instead of passing it a file. Therefore, you won’t have to ship a script in the SmartResponse, and the action the SmartResponse will take can be provided on demand when you launch the SmartResponse.

powershell.exe -EncodedCommand “BASE64 encoded string”

The “EncodedCommand” parameter is just used as a vehicle to transport the actual script itself. So you can now go ahead and create a new plug-in in LogRhythm using just this xml file. It’s called “SR No Script” and you can see this has been imported as the last plug-in in the list below.

Figure 1. SR No Script

Creating BASE64-encoded strings is actually pretty straightforward in PowerShell and it can be done with just two lines of PowerShell.

$bytes = [System.Text.Encoding]::Unicode.GetBytes($input) $encodedcommand = [Convert]::ToBase64String($bytes)

To make doing this faster when actually using the SmartResponse, I made a standalone script that takes either a ps1 file or a command line as input and converts it into BASE64 encoding and then places it onto the clipboard for you.

Here are a couple examples of running my script first with a file as input and then with a command line.

Figure 2. Noscript_Config.ps1

Figure 3. BASE64 Encoding

Figure 4. Noscript_Config.ps1 command

Figure 5. NoScript SmartResponse

Using the SmartResponse

In the LogRhythm console, select the Agent where you want to run a script, right-click and then choose Initiate SmartResponse.

Figure 6. Initiate SmartResponse

Choose the “SR No Script: SR Base64 Command” action, and right-click paste the BASE64-encoded command:

Figure 7. SR No Script

Click OK and the action is sent to the System Monitor Agent:

Figure 8. SR No Script

The LogRhythm System Monitor generates Event 4031 when the SmartResponse is delivered:

Figure 9. Event 4031

The LogRhythm System Monitor Agent generates Event 3001 when the SmartResponse is finished, and it records the BASE64-encoded string and the stdout and stderr, so you can go back to it later and check what was actually done. This information is also sent back to the LogRhythm Console so you can view the results of the script right there in the LogRhythm Console too.

This was the Event logged for the command line I encoded earlier ‘dir “C:\Program Files”’. In this window, you can see both the encoded command and the output.

Figure 10. Event Properties: Event 30001

The Benefit

This SmartResponse offers both ops and security teams the possibility to run any command they require on hosts that have an agent installed. This can be extremely valuable in a highly distributed or segmented environment where PowerShell remoting is not allowed or the network is segmented and there is no other access to the endpoint.

Often in an incident scenario, you just want to be able to quickly run a command and get the results, and this provides the tools to do just that.