Using UAC with CrowdStrike Falcon Real Time Response

With CrowdStrike Falcon Real Time Response (RTR), analysts can remotely access and interact with endpoints in real time, gaining instant visibility into the system and collecting valuable forensic data by deploying files and running custom scripts.

In the instructions below the UAC package (i.e. uac-2.6.0.tar.gz) was stored in the CrowdStrike cloud. This way it can be deployed even if an endpoint is isolated via Network Containment feature.

1. Start by creating a temporary working directory on the live endpoint, then change the working directory to it.

/> mkdir /tmp/uac
/> cd /tmp/uac

2. Deploy and uncompress the UAC package.

/tmp/uac> put "uac-2.6.0.tar.gz"
/tmp/uac> runscript -Raw=```tar -zxf uac-2.6.0.tar.gz``` -Timeout=60

3. Change the working directory and run the collection. Note that CrowdStrike Falcon RTR session times out after 10 minutes. Make sure to keep the Falcon RTR session active.

/tmp/uac> cd uac-2.6.0
/tmp/uac/uac-2.6.0> runscript -Raw=```./uac -p ir_triage /tmp/uac``` -Timeout=9999

4. Upload the output and log files to the CrowdStrike cloud using the get command.

/tmp/uac/uac-2.6.0> get "/tmp/uac/uac-hostname-os-20230101120101.tar.gz"
/tmp/uac/uac-2.6.0> get "/tmp/uac/uac-hostname-os-20230101120101.log"

Note: The maximum file size for get is 4 GB. When needed, split the files using the split command.