GRR Rapid Response: remote live forensics for incident response
hello, I'm (urgently) looking for a way to execute a command to a Grr client. Any hint? (I'm in a cyber exercise, lost admin control over the system, but still have grr as 'backdoor') .
(the grr client = windows)
(sorry if this is not the right place for this question)
Hey, the best place for such questions is probably the grr-users mailing list, there are more people looking at it
for your problem, it's probably the easiest if you execute a script on the machine
for that, you have to sign it and upload to the database
and run executebinary
sorry, the correct name is LaunchBinary
You could also do a python hack, works the same but with a python script instead of an executable/script
@grrrrrrrrr hello Andreas, thanks, I simply can't get LaunchBinary to work. Each tentative fails with a crash of executable binary not found. I tried various (case sensitive) variations on the remote (windows) machine, and on my local grr server. ( C:/Windows/System32/net.exe , c:\windows\system32 , /C:/Windows/System32/net.exe , /cases/grr/net.exe )
this is not how this flow works
you can only run binaries that you send from the server
hello, I'm looking for a way to change a GRR's locale and time. Do you have any hints? It is as JST(in Tokyo). (sorry if this is not the right place for this question)
This message was deleted
Carl Henrik Lunde
How many concurrently open files should I expect on a data server? I'm seeing ~700 now, it looks like systemd defaults to 1024 as I limit and at some point I've reached that. Ref. google/grr#395
I'm wondering if there's a third issue with my setup, that I should not be close to 1024 anyway with just a handfull clients for testing. Now (with 700 files open on two data nodes) I have 700 files/sockets open.
@chlunde yes, set it big if you're using the sqlite datastore
@yskwon0830_twitter we use UTC everywhere, you should set the server to UTC. Supporting anything else is complicated, error prone, and a waste of time for us (there is no timezone we could pick that would make any sense).
@yskwon0830_twitter also, users mailing list will probably get you a faster reply next time
i'd need some help with my first flow. I've made a dummy py file, added to the registry_init file but now the server just doesn't start
I probably screw it but don't know where or what. I made my test directly into the path -> /usr/share/grr-server/lib/python2.7/site-packages/grr/lib/flows/general
k, going to post at github forum
hey, yeah, stick it in an email with the backtrace of what happened when the server wouldn't start
Could anyone tell me if you can configure grr to run commands like taskkill and such ad hoc?