Analyze your Azure and AWS virtual machines from one command.

We recently made some additions to our PowerShell interface to enable users with a valid account to leverage DumpIt on their remote machines such as virtual machines (VMs) on Microsoft Azure or Amazon Web Services but also machines with PowerShell Remoting enabled.

The whole workflow from capture to analysis is now handled as described in the below diagram. This is another novel way to speed up the investigation process of Windows machines, especially for Cloud set-ups.

image

Get your Stardust report on your VMs from one PowerShell command-line

The three new commands are:

  • Invoke-ComaeAzVMWinAnalyze for Microsoft Azure virtual machines.
  • Invoke-ComaeAwsVMWinAnalyze for Amazon Web Services virtual machines
  • Invoke-ComaeADWinAnalyze for on-premise machines.

For each of those commands, the user needs to provide Comae credentials (ClientId and ClientSecret) that will be used to download DumpIt and send the machine memory image to the Comae Stardust’s account of the user.

Get Started

First of all, to have access to all the Comae functions you need to import Comae.ps1 module either from GitHub or from the Comae Toolkit archive which should be in the same folder as DumpIt.exe Import-Module .\Comae.ps1

Microsoft Azure

Function Invoke-ComaeAzVMWinAnalyze(  
    [Parameter(Mandatory = $True)] [string] $ClientId,  
    [Parameter(Mandatory = $True)] [string] $ClientSecret,  
    [Parameter(Mandatory = $True)] [string] $ResourceGroupName,  
    [Parameter(Mandatory = $True)] [string] $VMName  
)

Prerequisites

Description

image

In the case of Microsoft Azure, the user needs to provide the name of the resource group, ResourceGroupName, and the virtual machine nameVMName, where the memory will be acquired by DumpIt and analyzed by Stardust.

In the case of Microsoft Azure, the Azure credentials will be asked through a pop-up unless the user is already logged in with Connect-AzAccount from the new Azure PowerShell Module.

Example: Invoke-ComaeAzVMWinAnalyze -ResourceGroupName “test-group” -VMName “TestMachine” -ClientId “xxxxxxxxxxxxxx” -ClientSecret “yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy”

Amazon Web Services

Function Invoke-ComaeAwsVMWinAnalyze(  
    [Parameter(Mandatory = $True)] [string] $ClientId,  
    [Parameter(Mandatory = $True)] [string] $ClientSecret,  
    [Parameter(Mandatory = $False)] [string] $AccessKey,  
    [Parameter(Mandatory = $False)] [string] $SecretKey,  
    [Parameter(Mandatory = $True)] [string] $Region,  
    [Parameter(Mandatory = $True)] [string] $InstanceId  
)

Prerequisites

  • AmazonSSMFullAccess **** IAM policy to allow the VM to receive SSM commands.
  • AWS Tools for PowerShell, which can be installed with the following command line: Install-Module -Name AWSPowerShell.NetCore -AllowClobber

Description

Just like with the Azure scenario, the user needs to provide their Comae credentials (ClientId ,ClientSecret), the authentification to AWS will be done with the AWS credentials (AccessKey, SecretKey), and the virtual machine information required are the region Region and the identifier of the remote AWS instance InstanceId.

PowerShell Remoting

Function Invoke-ComaeADWinAnalyze(  
    [Parameter(Mandatory = $True)] [string] $ClientId,  
    [Parameter(Mandatory = $True)] [string] $ClientSecret,  
    [Parameter(Mandatory = $True)] [string] $ComputerName  
)

Prerequisites

PowerShell remoting needs to be enabled. You can read about **** Enable-PSRemoting to configure the computer to receive remote commands.

Description

The PowerShell Remoting scenario only requires the target machine to have enabled PowerShell remoting to be allowed to receive commands. The user only needs to provide their Comae credentials (ClientId, ClientSecret) and the machine name of the remote computer (ComputerName).