Agent setup

[jaspreetsingh2793]

Hi, Can you help me build the agent file ? i am able to run the server but post executing the agent it does not reflect on the server UI. I am using Linux as server and windows as Agent machine. I edited and cross checked config.json and also the connectivity. Can you please guide me building the agent executable?

[scrymastic]

Apologies for the delayed reply. If the issue is still happening, try updating the IP addresses in the config.json file to match your actual server's IP. Additionally, the path and query pairs within the configuration define the specific log channel and filter criteria you wish to monitor. For utilizing the Microsoft-Windows-Sysmon/Operational path, Sysmon installation is necessary. You may want to replace the default Sysmon config with this config file: Sysmon Config by SwiftOnSecurity Currently, the server is configured to process Sysmon events (event IDs 1 through 25) and PowerShell events (event ID 4104). Hope this setup helps.

[jaspreetsingh2793]

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY . You are receiving this because you authored the thread.Message ID: @.***>

[jaspreetsingh2793]

Hello,

Hope you are doing well. Is there a plan to implement a Response feature too ?

Regards, Jaspreet Singh

On Tue, Jul 23, 2024 at 12:42 AM jaspreet singh @.***> wrote:

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY . You are receiving this because you authored the thread.Message ID: @.***>

[scrymastic]

Automated response features could enhance the system's value. I found some actions to consider:

• Sending alerts to the endpoint

• Quarantining files and performing yara scans

• Blocking network connections
• Terminating malicious processes

However, I don't have concrete plans to implement these additional features right now.

---

Từ: Jaspreet Singh @.> Đã gửi: 28 Tháng Bảy 2024 11:51 CH Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hello,

Hope you are doing well. Is there a plan to implement a Response feature too ?

Regards, Jaspreet Singh

On Tue, Jul 23, 2024 at 12:42 AM jaspreet singh @.***> wrote:

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY . You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254578589, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXTMRLFO5JFIZJUWOPOU6N3ZOUOQHAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TQNJYHE. You are receiving this because you modified the open/close state.Message ID: @.***>

[jaspreetsingh2793]

Hey thanks for responding. Could you please send me an idea on how do i include response actions into this ?

Also can we connect in linkedin ?

Regards, Jaspreet Singh

On Mon, 29 Jul 2024 at 9:06 AM, sonx @.***> wrote:

Automated response features could enhance the system's value. I found some actions to consider:

• Sending alerts to the endpoint

• Quarantining files and performing yara scans

• Blocking network connections
• Terminating malicious processes

However, I don't have concrete plans to implement these additional features right now.

---

Từ: Jaspreet Singh @.> Đã gửi: 28 Tháng Bảy 2024 11:51 CH Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hello,

Hope you are doing well. Is there a plan to implement a Response feature too ?

Regards, Jaspreet Singh

On Tue, Jul 23, 2024 at 12:42 AM jaspreet singh @.***> wrote:

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY>

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub< https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254578589>, or unsubscribe< https://github.com/notifications/unsubscribe-auth/AXTMRLFO5JFIZJUWOPOU6N3ZOUOQHAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TQNJYHE>.

You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254877579, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAEUTWOA7QSBRENU5F3ZOW2CJAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUHA3TONJXHE . You are receiving this because you authored the thread.Message ID: @.***>

[scrymastic]

I am quite surprised that someone is interested in this project that much. This is just a basic implementation and there is a lot of room for improving. But it will need more works, so I cant tell exactly how to implement more features now. And I dont have plans to dev this project at the moment. However, if you want to connect, here is my linkedin

---

Từ: Jaspreet Singh @.> Đã gửi: 04 Tháng Tám 2024 12:17 SA Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hey thanks for responding. Could you please send me an idea on how do i include response actions into this ?

Also can we connect in linkedin ?

Regards, Jaspreet Singh

On Mon, 29 Jul 2024 at 9:06 AM, sonx @.***> wrote:

Automated response features could enhance the system's value. I found some actions to consider:

• Sending alerts to the endpoint

• Quarantining files and performing yara scans

• Blocking network connections
• Terminating malicious processes

However, I don't have concrete plans to implement these additional features right now.

---

Từ: Jaspreet Singh @.> Đã gửi: 28 Tháng Bảy 2024 11:51 CH Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hello,

Hope you are doing well. Is there a plan to implement a Response feature too ?

Regards, Jaspreet Singh

On Tue, Jul 23, 2024 at 12:42 AM jaspreet singh @.***> wrote:

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY>

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub< https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254578589>, or unsubscribe< https://github.com/notifications/unsubscribe-auth/AXTMRLFO5JFIZJUWOPOU6N3ZOUOQHAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TQNJYHE>.

You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254877579, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAEUTWOA7QSBRENU5F3ZOW2CJAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUHA3TONJXHE . You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/scrymastic/edr-agent/issues/1#issuecomment-2267075173, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXTMRLDXDM25LV5VTTFFSS3ZPUGD5AVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGA3TKMJXGM. You are receiving this because you modified the open/close state.Message ID: @.***>

[jaspreetsingh2793]

Yes my friend. Though this is just a basic implementation, it has a lot of scope. i am interested to build this into a full-fledged Edr agent. With all the response features. Do you have any other reference that you can mention to me? Which is open source and can be used as a Edr agent ?

Regards, Jaspreet Singh

On Mon, 5 Aug 2024 at 9:14 AM, sonx @.***> wrote:

I am quite surprised that someone is interested in this project that much. This is just a basic implementation and there is a lot of room for improving. But it will need more works, so I cant tell exactly how to implement more features now. And I dont have plans to dev this project at the moment. However, if you want to connect, here is my linkedin

---

Từ: Jaspreet Singh @.> Đã gửi: 04 Tháng Tám 2024 12:17 SA Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hey thanks for responding. Could you please send me an idea on how do i include response actions into this ?

Also can we connect in linkedin ?

Regards, Jaspreet Singh

On Mon, 29 Jul 2024 at 9:06 AM, sonx @.***> wrote:

Automated response features could enhance the system's value. I found some actions to consider:

• Sending alerts to the endpoint

• Quarantining files and performing yara scans

• Blocking network connections
• Terminating malicious processes

However, I don't have concrete plans to implement these additional features right now.

---

Từ: Jaspreet Singh @.> Đã gửi: 28 Tháng Bảy 2024 11:51 CH Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hello,

Hope you are doing well. Is there a plan to implement a Response feature too ?

Regards, Jaspreet Singh

On Tue, Jul 23, 2024 at 12:42 AM jaspreet singh @.***> wrote:

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143,

or

unsubscribe <

https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY>

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub< https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254578589>,

or unsubscribe<

https://github.com/notifications/unsubscribe-auth/AXTMRLFO5JFIZJUWOPOU6N3ZOUOQHAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TQNJYHE>.

You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub < https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254877579>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AIZNXAEUTWOA7QSBRENU5F3ZOW2CJAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUHA3TONJXHE>

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub< https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2267075173>, or unsubscribe< https://github.com/notifications/unsubscribe-auth/AXTMRLDXDM25LV5VTTFFSS3ZPUGD5AVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGA3TKMJXGM>.

You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2268113723, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAH2PH5FFXOD5QMCHHDZP3YH7AVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRYGEYTGNZSGM . You are receiving this because you authored the thread.Message ID: @.***>

[scrymastic]

I do not have many references for the project, but you may want to take a look at https://github.com/ION28/BLUESPAWN or https://github.com/ossec/ossec-hids. [https://opengraph.githubassets.com/2802e3d785b72be5fc134f9006b3f496b95079562b2573a0539f6239f5386664/ossec/ossec-hids]https://github.com/ossec/ossec-hids GitHub - ossec/ossec-hids: OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.https://github.com/ossec/ossec-hids OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. - os... github.com

[https://repository-images.githubusercontent.com/189113067/ee51a880-d4cb-11ea-861c-deb39427ca98]https://github.com/ION28/BLUESPAWN GitHub - ION28/BLUESPAWN: An Active Defense and EDR software to empower Blue Teamshttps://github.com/ION28/BLUESPAWN An Active Defense and EDR software to empower Blue Teams - ION28/BLUESPAWN github.com

---

Từ: Jaspreet Singh @.> Đã gửi: 05 Tháng Tám 2024 3:33 CH Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Yes my friend. Though this is just a basic implementation, it has a lot of scope. i am interested to build this into a full-fledged Edr agent. With all the response features. Do you have any other reference that you can mention to me? Which is open source and can be used as a Edr agent ?

Regards, Jaspreet Singh

On Mon, 5 Aug 2024 at 9:14 AM, sonx @.***> wrote:

I am quite surprised that someone is interested in this project that much. This is just a basic implementation and there is a lot of room for improving. But it will need more works, so I cant tell exactly how to implement more features now. And I dont have plans to dev this project at the moment. However, if you want to connect, here is my linkedin

---

Từ: Jaspreet Singh @.> Đã gửi: 04 Tháng Tám 2024 12:17 SA Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hey thanks for responding. Could you please send me an idea on how do i include response actions into this ?

Also can we connect in linkedin ?

Regards, Jaspreet Singh

On Mon, 29 Jul 2024 at 9:06 AM, sonx @.***> wrote:

Automated response features could enhance the system's value. I found some actions to consider:

• Sending alerts to the endpoint

• Quarantining files and performing yara scans

• Blocking network connections
• Terminating malicious processes

However, I don't have concrete plans to implement these additional features right now.

---

Từ: Jaspreet Singh @.> Đã gửi: 28 Tháng Bảy 2024 11:51 CH Đến: scrymastic/edr-agent @.> Cc: LÊ XUÂN SƠN @.>; State change @.> Chủ đề: Re: [scrymastic/edr-agent] Agent setup (Issue #1)

Hello,

Hope you are doing well. Is there a plan to implement a Response feature too ?

Regards, Jaspreet Singh

On Tue, Jul 23, 2024 at 12:42 AM jaspreet singh @.***> wrote:

Hey Thank you, It worked. I changed the port to 8001 in the config file which worked. It would suggest edit the same in example config. Thanks once again/

Example:

{ "uri": "ws://192.168.63.137:8000/ws/agent/",

On Sun, Jul 21, 2024 at 10:59 PM sonx @.***> wrote:

Closed #1 https://github.com/scrymastic/edr-agent/issues/1 as completed.

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#event-13593244143,

or

unsubscribe <

https://github.com/notifications/unsubscribe-auth/AIZNXAGONJYM4EBVKXV5OOTZNPVWPAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGU4TGMRUGQYTIMY>

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub< https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254578589>,

or unsubscribe<

https://github.com/notifications/unsubscribe-auth/AXTMRLFO5JFIZJUWOPOU6N3ZOUOQHAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGU3TQNJYHE>.

You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub < https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2254877579>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AIZNXAEUTWOA7QSBRENU5F3ZOW2CJAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUHA3TONJXHE>

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub< https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2267075173>, or unsubscribe< https://github.com/notifications/unsubscribe-auth/AXTMRLDXDM25LV5VTTFFSS3ZPUGD5AVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGA3TKMJXGM>.

You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/scrymastic/edr-agent/issues/1#issuecomment-2268113723, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZNXAH2PH5FFXOD5QMCHHDZP3YH7AVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRYGEYTGNZSGM . You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHubhttps://github.com/scrymastic/edr-agent/issues/1#issuecomment-2268484796, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AXTMRLAAUTWCVZM7FY4OJLLZP42GNAVCNFSM6AAAAABK5AALRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRYGQ4DINZZGY. You are receiving this because you modified the open/close state.Message ID: @.***>