Retrieving Browser History using Tanium

There are many awesome solution packs available for use on the Tanium platform.  One of those solution packs is called Browser History.  It takes advantage of an awesome little utility from NirSoft called, not surprisingly, BrowserHistoryView.  It was written to read the history data of 4 different Web browsers like IE, Chrome, FF, and Safari.

One of the talented engineers over at Tanium wrapped that utility up in content for use on the Tanium platform.  I will go over the basics of setting up and using that content in this article.

Importing Content

Everything with Tanium typically starts by importing content and the Browser History solution pack is no different.  Ask your TAM or contact support@tanium.com if you do not have the BrowserHistory.xml solution pack file.

Once you have that xml file, log into your console and browse to the Authoring tab and click the Import button, browse to the xml file and hit ok.

bh1

Modify Distribution Package

Since this solution pack requires a 3rd party utility, you must acquire this utility by visiting the 3rd party vendors website.  Browse to the very bottom and download the 32bit version.

Now that you have the utility we need to modify the “Distribute Browser History Viewer” (https://community.tanium.com/repo/package/16) package.   Click the “Add Local Files…” button and find the downloaded BrowsingHistoryView.exe and add it to the package.

bh2

Edit:  It is entirely possible you are using a Tanium deployment that still has a self-signed SSL certificate.  This would prevent you from adding local files in this manner.  To work around that you have two options, the first is install a trusted certificate on the server which goes well beyond what this article is intended for.  The second is a lot easier but requires you to copy the file to the server.  We’ll explore that option here…

Place the BrowsingHistoryView.exe file into the following directory on the server.  I am calling out the default installation path, but your’s may vary if you changed it during install.

C:\Program Files\Tanium\Tanium Server\Apache24\htdocs\file

Any file within that directory is accessible via the following URL:

https://hostname-of-server/file

Then you can add a URL like the following screenshot:

bh6

Distribute Package via Scheduled Action

To follow my personal best-practice of distributing software with a Has-Sensor and a Distribute-Package, I have put together a “Has Browser History Utility” sensor (https://community.tanium.com/repo/sensor/789) that is downloadable directly from the community site.  It is a basic sensor that simply checks the install folder and tells you whether or not the utility exists.  You can then schedule the “Distribute Browser History Viewer” package to all endpoints that report “No”.

Download and import the Has_Browser_History_Utility.xml by going to Authoring and clicking the “Import” button.  Then ask the following Tanium Question:

Get Has Browser History Utility[BrowserHistory] from machines where Operating System contains Win 

The answers you get back should be either Yes or No.  If you have never distributed the package before, likely you will receive all No answers.

Note: Unlike other articles, I have qualified the above Tanium Question by limiting endpoints answering the question to my Windows computers.  I am using the Operating System sensor which is provided via the Initial Content solution pack..  This is to ease the work required on non-windows endpoints, but also since this particular utility only relates to Windows computers there is no need to involve my non-windows systems.

bh3

I want to ensure the utility is there when I need it (when I ask for browser history), so I am going to reissue the action every hour.  Only computers that report “No” will launch this scheduled action, thus once 100% of my computers receive the utility, it won’t run unless a brand new windows computer comes online.

bh4

Retrieving Browser History

Now that we have this solution all setup it’s time to use it.    The purpose of this solution is to retrieve the web browsing history of computers within my environment.

Legal Notice:  This is very sensitive data and you must use caution when asking for something you might not be authorized to receive.  Pay particular attention to privacy laws in your country and the policies setup for your organization.

Ask the following Tanium-Question to retrieve browsing history data:

Get Computer Name and Browser History from machines where Operating System contains Win

bh5

I’ve redacted the personal information for my personal “organization”, however  it does show you enough to know how the Browsing History Solution Pack works.

Tanium Client Deployment Tool

I have recently stood up a half-dozen virtual servers in a new home lab I am building to compliment my home office.  This means I want to get the Tanium Client installed onto these endpoints.  Rather than do it manually, I’m choosing to use the Tanium Client Deployment Tool and install them remotely from my windows workstation.  At the time of this writing v5.0.0.6 was the latest and has a few essential features required for installing the agent onto my new non-windows systems.

Installing the Tool

Installation of the Client Deployment Tool is relatively straightforward.  Launch the installer and click “Install”.  Assuming the default installation directory is acceptable.

cdt1

cdt2

cdt3

Initial Tool Setup

Once you launch the tool there are a few things that need to happen.  The first is the tool itself will prompt you to download the very latest agents for the various OS platform Tanium supports.  Allow that to happen…

cdt4

cdt5

Next we will need to point the tool at our server infrastructure in two ways… First by pointing the utility at our tanium.pub file.  This file can be found in the Tanium Server root folder on the server.  Second we’ll need to specify the hostname or IP address of the server we will be pointing endpoints at.  This second value could be the hostname or IP address of a zone server or even an alias that functions differently inside and outside your network.  Lastly if you chose to use a port number other than the default 17472, you’ll need to specify that now.

Install the Agent

For this article we will deploy the Tanium Agent to one of my new Ubuntu 14.04 LTS virtual servers.  My user account on that box has sudo permissions and that is required in order to install new software.

cdt6

Next we will specify a single endpoint to deploy too.  To do that we change the lower-left tabs to “Computer List” and type in the hostname of the targeted endpoint.  Then change the very bottom left dropdown to “Linux_Mac_Only” to avoid unnecessary timeouts by trying a windows connection and hit the “Analyze” button.

cdt7

If all works well our tool will report back “Client not installed”.  Select that row and click “Install”. 

cdt8

All done… The client deployment was successful.  To validate, we can simply log into the Tanium Console and check Administration->System Status to see our new endpoint listed and reporting in.

cdt9

In Conclusion

The Client Deployment Tool is a great utility for getting the Tanium Agent installed on your endpoints fast.

Recovering License Keys with Tanium

Lately I’ve been exploring the content that is posted in the Tanium Community Repository and found an interesting content pack called License Key Recovery.  For the purposes of this article I will assume you already have a Tanium server setup and have a half dozen or more windows clients reporting into this infrastructure.  In my case I’m using a personal lab deployment Tanium Server v6.2.314.3258 that has various Windows, Mac and Linux endpoints located all around the state of Arkansas.

Acquire and Import the Content Pack

You’ll need the content pack XML which is available from your assigned TAM, if you don’t have one reach out to Tanium Support, I bet they’ll get you the help you need.  After you have the file browse to Authoring and push the “Import Content…” button on the far right.  The import preview window should look something like this:

licensekey1

Update and Distribute Package

This content pack uses an 3rd party utility that is licensed separately from Tanium and can be downloaded/purchased from recover-keys.com, you’ll need the enterprise version which includes the command line executable.  After acquiring the software, find the file named RecoverKeysCmd.exe.   The Recover Keys product also uses SQLite which must also be downloaded separately from SQLite.org.  (Find the section called Precompiled Binaries for Windows and download the sqlite-dll-win32-x86…)

Edit the “Distribute Recover Keys Utility” package under Authoring->Packages and filter by package name.  Remove both the exe and dll from the Files list and add the newly acquired files by clicking “Add Local Files…” button.

licensekey2

Deploying the Utility

Included in the content pack is a saved action which automatically attempts to distribute the above package every two hours.  However, if you can’t wait that long and want to distribute it immediately, ask the following Tanium question:

Get Has Recover Keys Tool from all machines

Right click on the “No” answer and deploy the “Distribute Recover Keys Utility” for one time distribution… to all endpoints.  Any endpoint not currently online will receive the package command via the scheduled action within the content pack.

licensekey3

Retrieving License Keys

Everything is now prepared for the very fast and easy question you really want to know…

Get License Keys from all machines

licensekey4

In Conclusion…

Utilizing Tanium to take advantage of a 3rd party utility is extremely easy.   Break open the content by editing the packages or sensors and you will see exactly how simple it was to distribute and retrieve the results of the Recover Keys Utility.

Installing Tanium v6.1

Installing Tanium is actually really easy and I’m going to make it even easier by walking you through the express installation of the product.

In the following article I’ll provide you with the various screen shots for the express installation of Tanium v6.1.314.2342 and I’ll call out screens that may need additional explainations. Let’s get started!
I assume you’ve already acquired the installation executable from your Technical Account Manager or Sales person…
tanium01
Double click it to launch the installer. If you’re installing onto a Windows 2008r2 server, like I am here, you may need to click yes to the UAC request dialog:
tanium02
tanium03
tanium04
This virtual computer I’m installing our server onto, does not have an MSSQL server installed, so we’ll choose to install the MSSQL Express Edition.
tanium05
tanium06
tanium08
We’ll have to agree to Microsoft’s EULA…
tanium09
I’ve chosen to download and install updates to MSSQL here.
tanium10
I’m also using the default options…
tanium13
Leave the named instance settings as is.
tanium14
As well as the service configuration settings…
tanium15
We only support Windows authentication so choosing between only Windows Auth or both is up to you.
tanium16
tanium19
Now… back to the Tanium installation… choose the Express Install.
tanium20
Provide your windows credentials for the initial user. If your server is linked to a domain, it can be a domain login (does not need to be an admin or anything). If your server is NOT on a domain, simply provide one of the local accounts username/passwords to continue.
tanium22
All done!
tanium23

The express installation of our product creates a self signed certificate for the console, so you’ll need to agree to continue.
tanium24
Log in with the username/password you specified earler…
tanium25
When you have successfully logged in, an initial content load will occur. This means your server is downloading a “starter” pack of content (sensors, packages, dashboards, etc) which will get you started with the product immediately. This process does take several minutes, so please be patient.
tanium26
Once the content load is complete, you’ll get to play around with the product!
tanium27

Currently you do not have any endpoints to work with. I’ll release another article very soon which explains a few ways of getting agent installed onto your computers.