Categories
SIEM

Build Your Own Simple Data Collection Tool From Endpoint

After a cyber incident, data must be collected to investigate and protect evidence. Collecting data is sensitive process, should not cause the target to collapse and data corruption. Therefore, We need to make minimum changes on the target system while collecting data.

It is necessary to automate the collection process to avoid situations like data corruption, system downing. Check these situations before collecting:

  • Is automation tested before?
  • Does it cause performance problems?
  • What to do if the system crashes?

Also a basic tool should be able to collect these data:

  • System time and date
  • Operating system
  • General system information
  • Users and groups list
  • Network details 
  • Network connections 
  • Services and software list
  • Drivers
  • Files
  • Active processes
  • Browser history
  • System configurations
  • ARP table, DNS cache

NOTE: If file transfer is necessary, hash information should also be sent to confirm that the file has not changed during the transfer. If you want to try what is written here in a SOC environment, you can register to the simulation for free on letsdefend.io.

We wanted to build my own automation and designed TCP client-server structure with Python.

Firstly, we found a code sample that can connect as admin and client

python socket

Then, created TCP socket for data acquisition on admin field

We prepared the Python codes (data.py) that listened to the client side (main.py) and create the data in line with the commands received.

If commands reaching the listener starts with “!”, it sending to getValue() function in the data.py file.

If the requested data is supported by the target, data collection begins. Requested data and commands executed for requested data.

DataCommand
System date and timedate
Operating systemcat /etc/issue
Kernel versionuname -a
Uptimew
Userscat /etc/passwd
Groupscat /etc/group
Network connectionsnetstat -anp
Driverslsmod
Network interfacesifconfig -a
Routing tablenetstat -rn

We installed 3 separate Ubuntu machine on VM for testing tool and installed the tool.

MachineIP
Server
192.168.131.128
Admin192.168.131.129
Client192.168.131.132

When we check the server terminal, we saw client and admin connected to server successfully

When we requested browser history with admin user, we got client’s browser history.

browser history

Some commands executed:

Bash history

bash history

Kernel version

kernel version

You can access all of the source code on our Github page.

Share on social media