How to acquire logs (or anything else) from a remote Windows computer easily via JumpCloud by using Commands and S3

Scenario: You might be in the situation where you need logs from a remote computer for a particular reason. This can be simply related for debugging purposes or during some form of security-related exercise, i.e. Incident Response.

Ingredients:

• AWS S3 Bucket
• AWS IAM User with custom scope and valid Access & Secret Key
• JumpCloud tenant with enrolled Windows devices
• JumpCloud Command to deliver a PowerShell Script to acquire logs (or anything else)

Solution: As you might already know, JumpCloud's Agent is a powerful vehicle on every connected device which gives many options to facilitate various scenarios on a remote computer. Due to its capability to execute scripts locally on a computer, there's almost no limit to what's doable. Exporting logs and sending them to a remote storage - for example, is definitely a powerful one.

How do we do this? First, you need a script... in this case a PowerShell Script. We will start with importing the right module provided by AWS .

# Install the AWS Tools Module

Install-Module -Name AWS.Tools.Installer -Force?        

Next you gonna set your AWS Credentials . It's strongly recommended to provide credentials which are limited to the bare minimum of allowed operations on AWS. The PowerShell Tools also do support Session Tokens (not used in this article). You may wonder: Why are the credentials hardcoded into the script in this case? As we want this script to be executed remotely without any intervention, we don't really have a simple alternative in this case. Ideally, after this exercise you will also invalidate the credentials.

# Set AWS Credentials (limited scope)
Set-AWSCredential -AccessKey <string. -SecretKey <string>?        

We want to upload the System- and Application Log (Errors and Warnings only) of a particular Windows device. First, we're exporting the logs to CSV-Files by using these 2 lines of code:

# Write System and Application log to CSV

Get-Eventlog -LogName System -EntryType Error,Warning | Export-Csv $env:computername-system_logs.cs

Get-Eventlog -LogName application -EntryType Error,Warning | Export-Csv $env:computername-application_logs.csv
?        

Once exported, we're ready to upload these 2 logs to our S3-bucket by using this:

# Upload logs to S3

Write-S3Object -BucketName logfile-dumpster -File $env:computername-system_logs.cs

Write-S3Object -BucketName logfile-dumpster -File $env:computername-application_logs.csv        

After uploading the logs, let's cleanup a bit:

• Remove the logs and
• Clear the AWS Credentials

Remove-Item *.csv


Clear-AWSCredential?        

The full script:

# Install the AWS Tools Modul

Install-Module -Name AWS.Tools.Installer -Force


# Set Credentials to Access/Write to the S3-Bucket

Set-AWSCredential -AccessKey <string> -SecretKey <string>


# Acquire the System- and Application-Log

Get-Eventlog -LogName System -EntryType Error,Warning | Export-Csv $env:computername-system_logs.csv

Get-Eventlog -LogName application -EntryType Error,Warning | Export-Csv $env:computername-application_logs.csv


# Upload the logs to S3

Write-S3Object -BucketName logfile-dumpster -File $env:computername-system_logs.csv

Write-S3Object -BucketName logfile-dumpster -File $env:computername-application_logs.csv


# Remove the logs from the local disk

Remove-Item *.csv


# Clear the credentials used to write to S3

Clear-AWSCredential?        

Now that our script is ready to use, we gonna create the respective Command on JumpCloud to be targeted against a Windows device to drop and execute the payload.

Navigate to Commands on the JumpCloud Admin Console and click the +-button to create a new Command. Select Windows and check the box for Windows PowerShell. Now paste the script under Command. As of now we will run manually and giving a Timeout after 4 minutes. Next got to Device Groups or Devices and select the devices in scope.

The Command carrying the script is now ready to use. You can also run this scheduled and even repeating or triggered by a webhook . The latter provides ample of options and could be combined with assigning the devices in scope via API. Such task could then be triggered by - for example - your Incident Response team via an automated playbook or via a Slack Command.

Once executed, you will have your logs within the S3-bucket ready for further consumption. Same here: tons of options. For example, if Azure Sentinel is your SIEM of choice, then you could follow these instructions to ingest them via Lambda .

A few notes to the end of this article:

• It's meant to demonstrate which flexibility is available. Of course, this isn't limited to Windows & PowerShell. You can create scripts for Mac and Linux as well in a similar fashion.
• The code provided is rather a proof-of-concept and PowerShell gives you a massive toolbox. You could have scripts parsing through logs before getting uploaded to search for particular events only. Or you could have scripts digging through files searching for specific content by using a Regex. Of course, this isn't limited to log files only.
• As you might have noticed by now: this is powerful. Therefore, be thoughtful, careful, considerate and cautious before acquiring any form of content from a device. Do follow best practices, ethical and compliance standards, your policies and procedures which may be applicable to you, your role, your company.