Release Notes Live Response (Version 1.1)
Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.
Tanium Live Response 1.1.2
Release Date May 15, 2018
Live Response Official Version 1.1.2.0005
Overview
Live Response (version 1.1.2) is released to general availability to provide a more extensible and customizable method for retrieving forensically relevant data and files. Live Response can collect running process details, module details, driver details, including file hashes, the $MFT, Windows event logs, system memory, user profiles and more. Data collection can be customized using JSON-formatted configuration files. Custom triage or data collection scripts can also be added to the package and configuration file. Live Response is available to any customers holding a license for Tanium Threat Response or the Tanium Incident Response module.
This release of Live Response includes many significant performance improvements and bug fixes. For details, please read below.
Resolved Issues and Improvements
- improvement: All PowerForensics cmdlets use less memory and execute several orders of magnitude faster.
- improvement: Raw NTFS parsing is significantly faster.
- improvement: File data is now streamed from disk, reducing memory overhead.
- improvement: PowerForensics now supports NTFS file systems where the file record size is not 1024 bytes.
- improvement: General compatability improvements when sending to SFTP servers.
- improvement: Live Response logging now occurs using a single stream.
- improvement: Paths expanded from environment variables are now logged for visibility
- improvement: Process collector now only parses binary file information once
- improvement: SMB file transfers no longer require the "Read Attributes" permission. All that is required is "Create files / write data", "Create folders / append data", and "Write Attributes" permissions in order to create a truly write-only SMB file drop.
- change: LRConnectionTest is now created within session direction on remote system, rather than in the configured base directory.
- bugfix: Correct typo that caused Custom_Collection.json to fail to parse
- bugfix: File collections no long attempt to collect directories as though they were files.
- bugfix: File collections would fail if the configured path or regular expression contained UTF-8 characters
- bugfix: Live Response would fail on systems that did not have .NET 3.5 with errors about FindSystemTimeZoneById, ConvertTimeFromUtc
- bugfix: Live Response would fail with an obscure error if another instance was already running.
- bugfix: PowerForensics would return in valid raw file data for highly fragmented files. Specifically, at some point during the reading of the data, only null bytes would be returned.
- bugfix: PowerForensics would sometimes fail to parse directories, preventing access to its contents.
- bugfix: PowerForensics would sometimes incorrectly parse NTFS file record attributes, preventing access to affected file records.
- bugfix: PowerForensics parsing of resident registry values would always return 4 bytes of data as binary, regardless of the underlying data type or length.
- bugfix: PowerForensics would throw an exception when trying to parse registry values that were zero bytes in length.
- bugfix: S3 transfers would fail if the secret key had trailing whitespace
- bugfix: SFTP transfers to SolarWinds SFTP servers would fail
- bugfix: SFTP transfers to WS_FTP SFTP servers would fail
Important
- Customers wishing to use Autoruns related content will need to go to https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and download and then upload/install SysInternals Autoruns.zip during the import of the Incident Response solution.
Packages
- Live Response - Windows
- Live Response currently only supports versions of Windows running PowerShell 2.0 or greater. If PowerShell 2.0 or later is installed on on Windows XP and 2003 systems, Live Response might work. However, Live Response is not officially supported on those platforms.
New Binaries
| Operating System | Binary Name | Binary Version | SHA256 Hash |
|---|---|---|---|
| Windows x86 | |||
| PowerForensics.dll | 1.3.0 | b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448 | |
| PSTaniumFileTransfer.dll | 1.1.13 | a5807270d1d9ab838c5783e751d07bae2982f75820a5db6b333b3a7998f71ad4 | |
| taniumfiletransfer.exe | 1.1.13 | 23d8e982b39379621fce43b3636e3438dfc9860ad67f11fb9ea86ca482c92a71 | |
| Windows x64 | |||
| PowerForensics.dll | 1.3.0 | b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448 | |
| PSTaniumFileTransfer.dll | 1.1.13 | 0d27e188f9c2943dfd409d67c053895ee6a6d371a2d4bdf13c5285545aed8c14 | |
| taniumfiletransfer.exe | 1.1.13 | ca2a79b35cfa1ea9728111b1f9e35fa4406e93e034f8e73b47304a2d23dcf2fb |
Known Issues
- PowerForensics does not currently support the reading of sparse NTFS file data. Support is planned for a future release.
- Attempts to acquire the USN Journal ($Extend\$UsnJrnl) as a file will fail as PowerForensics currently lacks support for NTFS sparse files. The USN Journal may be parsed, though, using the Get-ForensicUsnJrnl cmdlet.
Additional Information
Tanium Live Response 1.1.1
Release Date April 11, 2018
Live Response Official Version 1.1.1.0001
Overview
Live Response (version 1.1.1) is released to general availability to provide a more extensible and customizable method for retrieving forensically relevant data and files. Live Response can collect running process details, module details, driver details, including file hashes, the $MFT, Windows event logs, system memory, user profiles and more. Data collection can be customized using JSON-formatted configuration files. Custom triage or data collection scripts can also be added to the package and configuration file. Live Response is available to any customers holding a license for Tanium Threat Response or the Tanium Incident Response module.
Live Response supports the following transfer protocols or destinations for collected data:
- SCP
- SFTP
- SMB
- S3
Important
- Customers wishing to use Autoruns related content will need to go to https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and download and then upload/install SysInternals Autoruns.zip during the import of the Incident Response solution.
Packages
- Live Response - Windows
- Live Response currently only supports versions of Windows running PowerShell 2.0 or greater. If PowerShell 2.0 or later is installed on on Windows XP and 2003 systems, Live Response might work. However, Live Response is not officially supported on those platforms.
New Binaries
| Operating System | Binary Name | Binary Version | SHA256 Hash |
|---|---|---|---|
| Windows x86 | |||
| PowerForensics.dll | 1.2.2 | cd17e1054616dc1b8e1e1dcbb64f03ecc692d903c59c1625ddabdb35972699b2 | |
| TaniumHandle.exe | 3.1.100 | 738eff48cc62bec4b757942dab9a05c1d7965143c4ba69ae4c825ca728f2295e | |
| PSTaniumFileTransfer.dll | 1.1.5 | bfb6c0519fe9fb58b9e48344fcfc4aadab288012bb411cd454cd6f484d97ee04 | |
| taniumfiletransfer.exe | 1.1.5 | 5037efdc2d42e1cf48b27e6073b03f2d238aa5c46ec8d670a530dafacb65c982 | |
| Windows x64 | |||
| TaniumHandle.exe | 3.1.100 | 4b33816dc04b935c4f017568ff271e5000210056bb54ecbdd663467fb93e555a | |
| PSTaniumFileTransfer.dll | 1.1.5 | 235ccc8923df7c73cbf33893727141f4f94109acaac454b38f840241c9e7ed7c | |
| taniumfiletransfer.exe | 1.1.5 | 3c728e2d56166273b8292bee06d3cfab72205dcfe0130b31ff608a0777ffe08a |