Automating Artifact Collection Upon Waking Sleeper Agents

Rule Description
This rule is designed for SLEEPER MODE deployments, where all agents are put to sleep and are only awakened in an IR scenario. It can easily be expanded upon to grab additional artifacts or even to initiate a Velociraptor acquisition.

Order of operations

  1. watches for an agent to send a STARTING_UP event (happens when coming out of sleep)
  2. checks that evidence_acquired tag has not already been set on the sensor
  3. acquires all specified artifacts from the endpoint immediately
  4. sets the evidence_acquired tag so that the rule does not apply to the same system twice

Detect

event: STARTING_UP
op: is tagged 
tag: evidence_acquired
not: true

Respond

- action: report
  name: Sleeper Activated - Get Evidence
- action: task
  command: >-
    artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\Security.evtx'
    --days-retention 30 --type wel
- action: task
  command: >-
    artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\System.evtx'
    --days-retention 30 --type wel
- action: task
  command: >-
    artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\Application.evtx'
    --days-retention 30 --type wel
- action: task
  command: >-
    artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\Windows
    PowerShell.evtx' --days-retention 30 --type wel
- action: add tag
  tag: evidence_acquired
1 Like