Home

Welcome to the PowerGRR wiki!

Inside the wiki you'll find code snippets and ideas on how you could combine PowerGRR commands. All the used commands are documented in the external help (help <command> or help <command> -examples) and in the markdown help. An overview of all available commands is found here.

Commands for using the GRR approval system

The GRR approval system introduce a 4-eye principal. Before each hunt can be started or before a flow can be invoked on a client, an approval must be valid. PowerGRR allows requesting the needed approval and allows waiting until the approval is made by some others. This allows directly staring the needed action after the approval is made without having to look for the approvals manually.

The following commands are available to use the approval system:

• Get-GRRClientApproval
• Get-GRRHuntApproval
• New-GRRClientApproval
• New-GRRHuntApproval
• Wait-GRRClientApproval
• Wait-GRRHuntApproval

Idea: Combine the approval commands and the creation of a flow or hunts and use them to wait until the approval is valid for starting the flow or a hunt directly. Since v0.7.0 dedicated wait commands are available.

Starting a flow directly after approval gets valid

$cred = ...
$client = "host"
$approval = New-GRRClientApproval -Credential $cred -ComputerName $client `
                                  -NotifiedUsers user1 `
                                  -Reason "Client analysis" -OnlyId

# Pre v0.7.0
while (!(Get-GRRClientApproval -Credential $cred -ComputerName $client -ApprovalId $approval -OnlyState)) { Sleep 5 }

# Since v0.7.0
Wait-GRRClientApproval -ComputerName $client -Credential $cred -ApprovalId $approval [-TimeoutInMinutes <min>]

Invoke-GRRFlow -ComputerName $client -Flow ArtifactCollectorFlow `
               -ArtifactList WindowsAutorun,DLLHijackLocations -Credential $cred

Starting a hunt directly after approval gets valid

Apply this approach to hunts. For hunts, the creation itself doesn't need the approval, but when starting it.

$Label = "INC0001"

$huntid = New-GRRHunt -Credential $cred -flow ListProcesses -RuleType Label `
                      -Label $Label -HuntDescription "$Label" -ClientRate 500 -OnlyId

$approval = New-GRRHuntApproval -Credential $cred -HuntId $huntid `
                                -NotifiedUsers user1 -Reason "$Label" -OnlyId

# Pre v0.7.0
while (!(Get-GRRHuntApproval -Credential $cred -HuntId $huntid -ApprovalId $approval -OnlyState)) { Sleep 5 }
Start-GRRHunt -Credential $cred -HuntId $huntid

# Since v0.7.0
Start-GRRHunt -Credential $cred -HuntId $huntid -Wait -ApprovalId $approval [-TimeoutInMinutes <min>]

Start-GRRHunt -Credential $cred -HuntId $huntid -Wait -ApprovalId (New-GRRHuntApproval -Credential $cred -HuntId $huntid -NotifiedUsers user.name -Reason "Approval text" -OnlyId)