alpine-sec / thevlad Goto Github PK

THEVLAD: Remote execution and triage tool via EDRs API

Analysis-oriented command line tool for remote execution and triage via EDRs API

The goal of this project is to create a unique tool that allows easy execution of tools and collection of outputs remotely using the APIs available in current EDR/XDRs and abstracting from the manufacturer.

This allows researchers to execute their own tools or interact with EDRs from their own scripts and tools in a simple way.

And of course... just for fun!

DOWNLOAD EXECUTABLE

Copy portable executable of TheVlad to the investigator machine where you want to perform the analysis, execution or triage

vlad.py [-h] [-V] -c CLIENT -v VENDOR [-l LIST_ENDPOINTS] [-s SEARCH_ENDPOINTS] [-x BASE64_COMMAND] [-m MACHINEID] [-b BINARY] [-d DOWNLOAD_FILE] [-f FORCE_EXECUTION]

python3 vlad.py -c XXXXXX -v MDATP -m XXXXXX -d C:\Users\XXXXXX\Desktop\POC.png -f

python3 vlad.py -c XXXXXX -v MDATP -m XXXXXX -b C:\Users\XXXXXX\Downloads\Procdump\procdump.exe -x U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggInByb2NkdW1wIiAtQXJndW1lbnRMaXN0ICItYWNjZXB0ZXVsYSAtbWEgNTU4NCAgQzpcIg== -f

Devices must be running one of the following:

• Windows 11
• Windows 10
  • Version 1909 or later
  • Version 1903 with KB4515384
  • Version 1809 (RS 5) with KB4537818
  • Version 1803 (RS 4) with KB4537795
  • Version 1709 (RS 3) with KB4537816
• Windows Server 2019 - Only applicable for Public preview
  • Version 1903 or (with KB4515384) later
  • Version 1809 (with KB4537818)
• Windows Server 2022
• macOS (Additional configuration profiles: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide)
  • 13 (Ventura)
  • 12 (Monterey)
  • 11 (Big Sur)
• Linux (Supported Linux server distributions and kernel versions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) **Microsoft 365 Defender Portal Features Required **

• 25 response sessions at a time
• Idle time for a session is 30 minutes.
• Individual live response commands have a time limit of 10
• Getfile, findfile and run have a limit of 30 minutes
• A single user can initiate 10 concurrent sessions
• A device can only be in one session

The following file size limits are applicable:

• getfile limit: 3 GB
• fileinfo limit: 30 GB
• library limit: 250 MB

Source: https://jeffreyappel.nl/how-to-troubleshoot-live-response-in-defender-for-endpoint/

• 10 calls per minute limit
• 25 concurrently running sessions
• RunScript timeout after 10 minutes
• Live response commands can’t be queued up and can only be executed one at a time.
• Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions won’t be executed.
• When RBAC grouping is enabled the automated remediation level must be assigned, at least with a minimum Remediation Level
• Multiple live response sessions can’t be executed on the same machine

More Info: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/run-live-response?view=o365-worldwide

• Add real-life scenarios
• Add SentinelOne Support
• Add Crowdstrike Support
• Add Cortex Support
• Add TrendMicro Vision One Support

(back to top)