search

CrowdStrike / falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
GNU Affero General Public License v3.0
185 stars 60 forks source link

File Extraction Issues #30

Closed nhasanit closed 7 years ago

nhasanit commented 7 years ago

I am having issues using only the File Extraction forensic tool. If I try to extract a file from a remote host using the hostname I get:

•Exception calling "UploadFile" with "2" argument(s): "The remote server returned an error: (500) Internal Server Error."

If I try to extract using the IP address as the computer, i get:

•Connecting to remote server 10.XX.XXX.XXX failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

I have tried accessing the console via the IP address and via the hostname. I have tried accessing the portal remotely as well as on the server that it sits on. All other forensics tools work so I dont believe this is firewall related.

mr-burnse commented 7 years ago

Error 1 - can you please check the windows event viewer and look for any events related to ASP.NET as the source? Paste the error here so we can get some more info on what's causing the 500 error.

Error 2 - Try running the following command on the target host (i.e. the one you are connecting to with orchestrator). In a production environment you should use the explicit IP of the Orchestrator server instead of the * wildcard.

winrm set winrm/config/client @{TrustedHosts="*"}

nhasanit commented 7 years ago

Event code: 3005 Event message: An unhandled exception has occurred. Event time: 4/5/2017 4:43:01 PM Event time (UTC): 4/5/2017 8:43:01 PM Event ID: f72dab1d33d646009fc821add497a4bb Event sequence: 105 Event occurrence: 5 Event detail code: 0

Application information: Application domain: /LM/W3SVC/2/ROOT-1-131358951512286501 Trust level: Full Application Virtual Path: / Application Path: C:\Inetpub\Falcon Orchestrator\ Machine name: Redacted

Process information: Process ID: 6580 Process name: w3wp.exe Account name: IIS APPPOOL\FalconOrchestrator

Exception information: Exception type: FileNotFoundException Exception message: Could not find file 'C:\Inetpub\Falcon Orchestrator\App_Data\Artifacts\401-3.htm.zip'. at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileInfo.get_Length() at FalconOrchestratorWeb.Areas.Forensics.Controllers.FileExtractionController.DownloadFile(String fileName) in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.Web\Areas\Forensics\Controllers\FileExtractionController.cs:line 52 at lambda_method(Closure , ControllerBase , Object[] ) at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass42.b41() at System.Web.Mvc.Async.AsyncResultWrapper.<>cDisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass37.<>cDisplayClass39.b33() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass4f.b49() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass37.b36(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass25.<>cDisplayClass2a.b20() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass25.b22(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>cDisplayClass4.b3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Request information: Request URL: http://(IPADDRESS REDACTED)/forensics/file-extraction/downloadfile?fileName=401-3.htm Request path: /forensics/file-extraction/downloadfile User host address: (IPADDRESS REDACTED) User: BDBC_NT(Username Redacted) Is authenticated: True Authentication Type: Negotiate Thread account name: IIS APPPOOL\FalconOrchestrator

Thread information: Thread ID: 43 Thread account name: IIS APPPOOL\FalconOrchestrator Is impersonating: False Stack trace: at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileInfo.get_Length() at FalconOrchestratorWeb.Areas.Forensics.Controllers.FileExtractionController.DownloadFile(String fileName) in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.Web\Areas\Forensics\Controllers\FileExtractionController.cs:line 52 at lambda_method(Closure , ControllerBase , Object[] ) at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass42.b41() at System.Web.Mvc.Async.AsyncResultWrapper.<>cDisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass37.<>cDisplayClass39.b33() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass4f.b49() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass37.b36(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass25.<>cDisplayClass2a.b20() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass25.b22(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>cDisplayClass4.b3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Custom event details:

nhasanit commented 7 years ago

When I run the powershell command I get an error:

PS C:\Windows\system32> winrm set winrm/config/client @{TrustedHosts="*"} Error: Invalid use of command line. Type "winrm -?" for help. PS C:\Windows\system32>

mr-burnse commented 7 years ago

I missed the single quotes on that command, it should be winrm set winrm/config/client '@{TrustedHosts="*"}'.

Looks like the file 401-3.htm doesn't actually exist in the C:\Inetpub\Falcon Orchestrator\App_Data\Artifacts directory since the upload wasn't successful. Are there any other errors present aside from that one in the event viewer?

nhasanit commented 7 years ago

The only other event i see that is related to that seems to be this one:

Event code: 4011 Event message: An unhandled access exception has occurred. Event time: 4/5/2017 4:38:16 PM Event time (UTC): 4/5/2017 8:38:16 PM Event ID: 1fb0d786586f4e8999cea01bc03d36d8 Event sequence: 69 Event occurrence: 2 Event detail code: 0

Application information: Application domain: /LM/W3SVC/2/ROOT-1-131358951512286501 Trust level: Full Application Virtual Path: / Application Path: C:\Inetpub\Falcon Orchestrator\ Machine name: Redacted

Process information: Process ID: 6580 Process name: w3wp.exe Account name: IIS APPPOOL\FalconOrchestrator

Request information: Request URL: http://(Redacted)/forensics/file-extraction/receiver Request path: /forensics/file-extraction/receiver User host address: (Redacted) User:
Is authenticated: False Authentication Type:
Thread account name: IIS APPPOOL\FalconOrchestrator

Custom event details:

mr-burnse commented 7 years ago

Yup that's the right one...not much info in the exception though. Did you setup the permissions for the Artifacts directory as outlined below?

https://github.com/CrowdStrike/falcon-orchestrator/wiki/Installation-&-Deployment#file-permissions

nhasanit commented 7 years ago

I think so. This is what the artifacts folder permissions looks like:

capture

nhasanit commented 7 years ago

Cancel that. I made a change on permissions and it works now. I think something was hung. Thanks!

mr-burnse commented 7 years ago

Glad to hear you got it sorted! Going to close this ticket. If you have any other issues/questions feel free to open a new one. Cheers!