diff --git a/docs/administration/enterprise.md b/docs/administration/enterprise.md index 49d7fe2c..b8303886 100644 --- a/docs/administration/enterprise.md +++ b/docs/administration/enterprise.md @@ -55,6 +55,11 @@ according to the [OpenAEV architecture](../deployment/platform/overview.md#archi The SentinelOne Agent can be leveraged to execute implants as detached processes that will then execute payloads according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture) +### Palo Alto Cortex Agent + +The Palo Alto Cortex Agent can be leveraged to execute implants as detached processes that will then execute payloads +according to the [OpenAEV architecture](../deployment/platform/overview.md#architecture) + ## Remediations in CVES More detail: [CVES](taxonomies.md) and [Findings view](../usage/findings.md) diff --git a/docs/deployment/assets/paloaltocortex-agents.png b/docs/deployment/assets/paloaltocortex-agents.png new file mode 100644 index 00000000..902c27bc Binary files /dev/null and b/docs/deployment/assets/paloaltocortex-agents.png differ diff --git a/docs/deployment/assets/paloaltocortex-endpoints.png b/docs/deployment/assets/paloaltocortex-endpoints.png new file mode 100644 index 00000000..192b7c84 Binary files /dev/null and b/docs/deployment/assets/paloaltocortex-endpoints.png differ diff --git a/docs/deployment/assets/paloaltocortex-scripts.png b/docs/deployment/assets/paloaltocortex-scripts.png new file mode 100644 index 00000000..15a75d36 Binary files /dev/null and b/docs/deployment/assets/paloaltocortex-scripts.png differ diff --git a/docs/deployment/assets/paloaltocortex-unix-script.png b/docs/deployment/assets/paloaltocortex-unix-script.png new file mode 100644 index 00000000..214ed411 Binary files /dev/null and b/docs/deployment/assets/paloaltocortex-unix-script.png differ diff --git a/docs/deployment/assets/paloaltocortex_subprocessor_unix.py b/docs/deployment/assets/paloaltocortex_subprocessor_unix.py new file mode 100644 index 00000000..09c0d3a6 --- /dev/null +++ b/docs/deployment/assets/paloaltocortex_subprocessor_unix.py @@ -0,0 +1,8 @@ +import os + +def run(command): + exit_code = os.system("echo " + command + " | base64 -d | sh") + print("Exit code:", exit_code) + +if __name__ == "__main__": + run(command) \ No newline at end of file diff --git a/docs/deployment/assets/openaev_subprocessor_unix.sh b/docs/deployment/assets/sentinelone_subprocessor_unix.sh similarity index 100% rename from docs/deployment/assets/openaev_subprocessor_unix.sh rename to docs/deployment/assets/sentinelone_subprocessor_unix.sh diff --git a/docs/deployment/assets/openaev_subprocessor_windows.ps1 b/docs/deployment/assets/sentinelone_subprocessor_windows.ps1 similarity index 100% rename from docs/deployment/assets/openaev_subprocessor_windows.ps1 rename to docs/deployment/assets/sentinelone_subprocessor_windows.ps1 diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md index bb414485..49d3c8e5 100644 --- a/docs/deployment/ecosystem/executors.md +++ b/docs/deployment/ecosystem/executors.md @@ -14,6 +14,7 @@ architectures. This table below summarizes the information about each agent. | **Tanium Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | | **Crowdstrike Falcon Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | | **SentinelOne Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | +| **Palo Alto Cortex Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | | **Caldera Agent** | Open source | As a user session | Script | An admin background process | As a user admin | Yes, depending on the user | ## OpenAEV Agent @@ -79,7 +80,7 @@ Once configured and imported, retrieve the package IDs from the URL: ### Configure the OpenAEV Platform -To use the Tanium executor, fill the following configuration: +To use the Tanium executor, fill the following configuration in the Integrations (Executors) tab from OpenAEV menu. | Parameter | Environment variable | Default value | Description | |:------------------------------------------------------|:------------------------------------------------------|:---------------|:--------------------------------------------------------------------------------------------------------------------------------------------------| @@ -257,7 +258,7 @@ applied. Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response. -To use the CrowdStrike executor, just fill the following configuration. +To use the CrowdStrike executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu. | Parameter | Environment variable | Default value | Description | |:-----------------------------------------------------------|:------------------------------------------------------------|:-----------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------| @@ -291,6 +292,93 @@ Endpoint on the OpenAEV endpoint page. You are now ready to leverage your CrowdStrike platform to run OpenAEV payloads! +--- + +## Palo Alto Cortex Agent + +The Palo Alto Cortex agent can be leveraged to execute implants as detached processes that will then execute payloads +according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/overview). + +The implants will be downloaded to these folders on the different assets: + +* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX` +* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX` + +where XXXXX will be a completely random UUID, generated for each inject that will be executed. +This ensures that the implants are unique and will be deleted on assets' restart. + +### Configure the Palo Alto Cortex Platform + +#### Upload OpenAEV scripts + +First of all, you need to create one custom script for Unix, covering both Linux and MacOS systems. +For Windows, we use the existing Palo Alto script named `execute_commands`. + +To create it, go to `Incident Response` > `Action Center` > `Agent Script Library` > `+ New Script`. The names +of the scripts can be changed if necessary, the ids will be put in the OpenAEV configuration. + +*Unix Script* + +Upload the following Python script: + +[Download](../assets/paloaltocortex_subprocessor_unix.py) + +Put the following Input schema: + +![Palo Alto Cortex unix script1](../assets/paloaltocortex-unix-script.png) + +*Windows script* + +Existing Palo Alto script named `execute_commands`. + +Once created, your Remote Ops scripts should have something like this: + +![Palo Alto Cortex RTR script](../assets/paloaltocortex-scripts.png) + +#### Create a group with your targeted assets + +To create a group, go to `Endpoints` > `Endpoint Groups`. + +### Configure the OpenAEV platform + +!!! warning "Palo Alto Cortex API Key" + + Please note that the Palo Alto Cortex API key created in "Settings/API Keys" should have the following minimum role: “Instance Administrator” and security level: "Standard". + +To use the Palo Alto Cortex executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu. + +| Parameter | Environment variable | Default value | Description | +|:--------------------------------------------------------------|:--------------------------------------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| executor.paloaltocortex.enable | EXECUTOR_PALOALTOCORTEX_ENABLE | `false` | Enable the Palo Alto Cortex executor | +| executor.paloaltocortex.url | EXECUTOR_PALOALTOCORTEX_URL | | Palo Alto Cortex URL, the API version used is the v1 | +| executor.paloaltocortex.api-register-interval | EXECUTOR_PALOALTOCORTEX_API_REGISTER_INTERVAL | 1200 | Palo Alto Cortex API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | +| executor.paloaltocortex.api-batch-execution-action-pagination | EXECUTOR_PALOALTOCORTEX_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Palo Alto Cortex API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a payload) | +| executor.paloaltocortex.clean-implant-interval | EXECUTOR_PALOALTOCORTEX_CLEAN_IMPLANT_INTERVAL | 8 | Palo Alto Cortex clean old implant interval (in hours) | +| executor.paloaltocortex.api-key-id | EXECUTOR_PALOALTOCORTEX_API_KEY_ID | | Palo Alto Cortex API key id | +| executor.paloaltocortex.api-key | EXECUTOR_PALOALTOCORTEX_API_KEY | | Palo Alto Cortex API key | +| executor.paloaltocortex.group-name | EXECUTOR_PALOALTOCORTEX_GROUP_ID | | Palo Alto Cortex group name or groups names separated with commas | +| executor.paloaltocortex.windows-script-uid | EXECUTOR_PALOALTOCORTEX_WINDOWS_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Windows script | +| executor.paloaltocortex.unix-script-uid | EXECUTOR_PALOALTOCORTEX_UNIX_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Unix script | + +### Checks + +Once enabled, you should see Palo Alto Cortex available in your `Install agents` section + +![Palo Alto Cortex available agent](../assets/paloaltocortex-agents.png) + +Also, the assets and the asset groups in the selected groups should now be available in the endpoints and asset +groups sections in OpenAEV: + +![Palo Alto Cortex Endpoints](../assets/paloaltocortex-endpoints.png) + +NB : An Asset can only have one Palo Alto Cortex agent installed due to the uniqueness of the MAC address parameters. If you +try to install again a Palo Alto Cortex agent on a platform, it will overwrite the actual one and you will always see one +Endpoint on the OpenAEV endpoint page. + +!!! success "Installation done" + + You are now ready to leverage your Palo Alto Cortex platform to run OpenAEV payloads! + --- ## SentinelOne Agent @@ -325,7 +413,7 @@ of the scripts can be changed if necessary, the ids will be put in the OpenAEV c Upload the following script (encoded for Unix): -[Download](../assets/openaev_subprocessor_unix.sh) +[Download](../assets/sentinelone_subprocessor_unix.sh) Put the following Input schema: @@ -336,7 +424,7 @@ Put the following Input schema: Upload the following script (encoded for Windows): -[Download](../assets/openaev_subprocessor_windows.ps1) +[Download](../assets/sentinelone_subprocessor_windows.ps1) Put the following Input schema: @@ -357,7 +445,7 @@ To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`. Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: “IR Team”. The API key and the scripts must be created for and with the same user and the required account/site. -To use the SentinelOne executor, just fill the following configuration. +To use the SentinelOne executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu. | Parameter | Environment variable | Default value | Description | |:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/docs/usage/assets.md b/docs/usage/assets.md index 0888b55a..e1ccbb48 100644 --- a/docs/usage/assets.md +++ b/docs/usage/assets.md @@ -66,14 +66,14 @@ To register new endpoints, you will need to install an agent. You can find detai **Agents panel** -| Attribute | Meaning | -|-----------------|----------------------------------------------------------------------| -| **Name** | Local user account on the endpoint that executes the agent process | -| **Executor** | Agent type (OpenAEV, Crowdstrike, Tanium, SentinelOne or Caldera) | -| **Privilege** | Local account's privileges on the endpoint (admin, or standard user) | -| **Deployment** | Installation type (Service or Session) | -| **Status** | Active or Inactive (threshold: 1 hour) | -| **Last seen** | Last seen it has been pinged | +| Attribute | Meaning | +|-----------------|-------------------------------------------------------------------------------------| +| **Name** | Local user account on the endpoint that executes the agent process | +| **Executor** | Agent type (OpenAEV, Crowdstrike, Tanium, SentinelOne, Palo Alto Cortex or Caldera) | +| **Privilege** | Local account's privileges on the endpoint (admin, or standard user) | +| **Deployment** | Installation type (Service or Session) | +| **Status** | Active or Inactive (threshold: 1 hour) | +| **Last seen** | Last seen it has been pinged | !!! note