-
Notifications
You must be signed in to change notification settings - Fork 54
Forensics
The forensics module is targeted at providing analysts the capability to taken responsive actions on an endpoint to facilitate further investigation, collect evidence or initiate remediation based activities.
The module leverages PowerShell's Remoting capabilities to execute commands on remote endpoints. This allows for minimal configuration required, no additional agent on the endpoint and the full capabilities of PowerShell to be used as part of the response functionalities. The FalconOrchestrator.Forensics library contains the logic to establish a PowerShell connection, execute the provided command and return data if applicable.
In order to leverage this functionality you will need to perform the following configuration tasks:
-
Enable PowerShell Remoting on all endpoints you need to interact with, this can be done by executing the command
Enable-PSRemoting. For larger environments it is suggested to use a systems management tool or Group Policy. -
By enabling this the Window Remote Management (WinRM) protocol will be used and listening on TCP port 5985. As such you should ensure that port is accessible for inbound communication both on the local Windows firewall and any network filtering devices between the Falcon Orchestrator server and target endpoint.
-
Lastly, you will need to supply credentials of an account (typically a domain account) that has sufficient access to the target endpoint(s) in order to carry out the intended commands.