Skip to main content

MPT-2. Develop Host Agent Deployment + Collection Plan


note
  • All data collection planning artifacts should be saved on the Fileserver SMB Share under /MISSION/01_PLANNING/02_DATA_COLLECTION_PLAN/ for standardization of location and access
  • Depending on the team's preference, related lists and CSV files can be either saved as individual files or combined as sepearate worksheets in an XLSX workbook


2.1. Gather endpoint targeting info​

Identify all targetable mission partner endpoints and their operating systems

Sub-tasks:

  • Obtain existing IP/OS asset lists for the mission partner environment for initial targeting
    • If no OS information is availabe, plan to use results from baseline network scanning (262COS-NET-SOP-001)
  • Obtain PPS (ports, protocols, services) lists for the mission partner environment to identify available remote agent deployment methods
    • If no PPS is availabe, plan to use results from remote management port scans (262COS-NET-SOP-001)
Required InputsExpected Outputs
  • IP/OS asset lists - or a plan to collect the data
  • PPS asset lists - or a plan to collect the data
  • List of endpoints, operating systems, and available remote agent deployment mechanisms
Example
target_details.csv
HostnameIP AddressOperating SystemSSHWinRMSMBWMI/RPC
WS-0310.0.0.0/24 (DHCP)RHEL 8βœ”
WS-0110.0.0.0/24 (DHCP)Windows 7 SP1βœ”βœ”
WS-0210.0.0.0/24 (DHCP)Windows 10 20H2βœ”βœ”βœ”
SVR-0110.0.0.10Windows Server 2012 R2βœ”βœ”βœ”

2.2. Prepare a Host Agent Deployment Plan​

info

Provided is an example/template: Host Agent Deployment Plan.xlsx

Specify the agents that will be deployed to mission partner assets based on compatible operating systems and other limiting factors

Sub-tasks:

  • Identify mission tasking/mission partner imposed host agent deployment restrictions
  • Coordinate with Mission Partner for whitelisting planned agent installation parameters (filepaths, driver names, service names, etc.) in native security tools (HBSS, Tanium, etc.)
  • Refer to the APPENDIX - Endgame OS Compatability table to identify compatible endpoint targets
  • Refer to the APPENDIX - Winlogbeat OS Compatability table to identify compatible endpoint targets
  • Refer to the APPENDIX - Auditbeat OS Compatability table to identify compatible endpoint targets
  • Refer to the APPENDIX - Filebeat OS Compatability table to identify compatible endpoint targets
    • Identify specific log file locations and formats required to be collected
    • Create per-endpoint Filebeat configuration files to collect the identified log file-based Data Components
  • Identify the method(s) in which each agent will be deployed (Deploy-Agent script, TFPlenum, or manually)
  • Identify the method(s) in which each agent will be removed at the end of the mission (include specific commands/instructions for agents that will be removed manually)
Required InputsExpected Outputs
  • List of endpoints, log types, and log file locations of application logs to be collected by Filebeat
  • List of endpoints, operating systems, and available remote agent deployment mechanisms
  • List of endpoints and all agents planned to be deployed to each, and the method (can be combined with previous list OS/service list details)
  • Filebeat configuration files specific to each endpoint with unique log file types and locations
Example
agent_targets.csv
DEPLOYMENT GROUPHOSTNAMEDOMAINMANAGEMENT IPOPERATING SYSTEMSYSMONENDGAMEWINLOGBEATAUDITBEATFILEBEAT
1DCFAKENET.USAF.MIL150.151.9.250Windowsβœ”βœ”βœ”
1FILEFAKENET.USAF.MIL150.151.9.252Windowsβœ”βœ”βœ”
1WEBFAKENET.USAF.MIL150.151.55.253UNKNOWN????CONFIG
1EXCHANGEFAKENET.USAF.MIL150.151.55.251Windowsβœ”βœ”βœ”
2RF-C2B-6-1FAKENET.USAF.MIL150.151.6.1Windowsβœ”βœ”βœ”
2RF-C2B-6-2FAKENET.USAF.MIL150.151.6.2Windowsβœ”βœ”βœ”
2RF-C2B-6-3FAKENET.USAF.MIL150.151.6.3Windowsβœ”βœ”βœ”
2RF-C2B-6-4FAKENET.USAF.MIL150.151.6.4Windowsβœ”βœ”βœ”
2RF-C2B-6-5FAKENET.USAF.MIL150.151.6.5Windowsβœ”βœ”βœ”

Any custom configuration files should also be saved with filenames that include the intended target's hostname (ex: <HOSTNAME>-filebeat.yml) to avoid confusion during deployment.

Apache module filebeat.yml config example:

filebeat.modules:
- module: apache
access:
enabled: true
var.paths: ["/path/to/log/apache/access.log*"]
error:
enabled: true
var.paths: ["/path/to/log/apache/error.log*"]

2.3. Prepare a Metasponse Collection Plan​

info

Provided is an example/template: Metasponse Collection Plan.xlsx

Specify active collection Metasponse jobs to collect data sources that will not be streamed by host agents

Sub-tasks:

  • Coordinate with Mission Partner for whitelisting planned Metasponse job execution folder in native security tools (HBSS, Tanium, etc.)
  • Batch together Metasponse jobs into pre-configured templates (262COS-MS-SOP-002) for quick deployment
  • Batch together targets into like-groups broken into reasonable sizes (~10), in order to not execute on too many targets in parrallel
Required InputsExpected Outputs
  • List of endpoints, operating systems, and available remote management mechanisms
  • List of endpoints and all agents planned to be deployed to each, and the method (can be combined with previous list OS/service list details)
  • List of Metasponse jobs/templates planned to be executed on each targeted endpoint/endpoint group
Example
metasponse_targets.csv
DEPLOYMENT GROUPHOSTNAMEDOMAINMANAGEMENT IPOPERATING SYSTEM
1DCFAKENET.USAF.MIL150.151.9.250Windows
1FILEFAKENET.USAF.MIL150.151.9.252Windows
1WEBFAKENET.USAF.MIL150.151.55.253UNKNOWN
1EXCHANGEFAKENET.USAF.MIL150.151.55.251Windows
2RF-C2B-6-1FAKENET.USAF.MIL150.151.6.1Windows
2RF-C2B-6-2FAKENET.USAF.MIL150.151.6.2Windows
2RF-C2B-6-3FAKENET.USAF.MIL150.151.6.3Windows
2RF-C2B-6-4FAKENET.USAF.MIL150.151.6.4Windows
3C2B-Fedora-01150.151.6.51Fedora
metasponse_job_schedule.csv
EXECUTION ORDERJOB TEMPLATE / PLUGINSDEPLOYMENT GROUPJOB TITLE
0DISCOVERYALLINITIAL-DISCOVERY
1

262 - [πŸ”₯Volatile Info] ARP Cache (Win/Linux)
262 - [πŸ”₯Volatile Info] DNS Cache (Win)
262 - [πŸ”₯Volatile Info] Environment Variables (Win/Linux)
262 - [πŸ”₯Volatile Info] Injected Threads (Win)
262 - [πŸ”₯Volatile Info] Logged-on Users (Win/Linux)
262 - [πŸ”₯Volatile Info] Route Table (Win/Linux)
Arp Cache Collector
DHCP Collector
DNSCache Collector
Mutex Collector
Netstat Collector
Null Session Pipes Collector
RAIR Collector
Active Sessions Collector
Survey Collector

1VOLTAILE_INFO-DG1-1/3
1VOLATILE_INFO2VOLTAILE_INFO-DG2-1
1VOLATILE_INFO3VOLTAILE_INFO-DG3-1
2262 - [πŸ”₯Volatile Info] Processes (Win/Linux)1VOLTAILE_INFO-DG1-2/3
2SYSTEM_CONFIG2SYSTEM_CONFIG-DG2-1
2SYSTEM_CONFIG3SYSTEM_CONFIG-DG3-1
3262 - [πŸ”₯Volatile Info] Netstat (Win/Linux)1VOLTAILE_INFO-DG1-3/3
3PERSISTENCE2PERSISTENCE-DG2-1
3PERSISTENCE3PERSISTENCE-DG3-1
4SYSTEM_CONFIG1SYSTEM_CONFIG-DG1-1
5PERSISTENCE1PERSISTENCE-DG1-1

2.4. Prepare a Syslog configuration plan​

Specify mission partner assets that need to be configured to natively stream Syslog to CVA/H

Required InputsExpected Outputs
  • List of endpoints, operating systems, and available remote managementt mechanisms
  • List of endpoints targeted for Syslog forwarding reconfiguration
  • List of endpoints targeted for native forwarding configuration
  • Syslog configuration files/instructions specific to each endpoint requiring native log forwarding
Examples

Any custom configuration commands should be saved as files with filenames that include the intended target's hostname (ex: <HOSTNAME>-ios-commands.txt) to avoid confusion during deployment.

Below are RFC3164 Syslog example [configurations](/01_PRE-EXECUTION/AID-002%20-%20Host%20Data%20Collection Planning/12_cvah_capability_considerations#syslog-considerations) for forwarding to CVA/H (specific commands and configurations may vary based on your environment):

  • Rsyslog (rsyslog.conf):

    *.* @@<DIP_EXT_IP>:5047

    -- OR --

    *.*  action(type="omfwd" target="<DIP_EXT_IP>" port="5047" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
  • Syslog-NG (syslog-ng.conf):

    destination d_cvah { network("<DIP_EXT_IP>" transport("tcp") port(5047)); };
    log { source(s_sys); destination(d_cvah); };
  • Cisco IOS:

    switch> enable
    switch# configure terminal
    switch(config)# logging <DIP_EXT_IP> transport tcp port 5047
    switch(config)# logging on
    switch(config)# end
    switch# show logging
    switch# write memory
  • Junos OS:

    user@device> configure
    user@device# set system syslog host <DIP_EXT_IP> any informational
    user@device# set system syslog host <DIP_EXT_IP> transport tcp port 5047
    user@device# show system syslog
    user@device# commit