AIR Responder Deployment

In this section, we will look at the deployment of AIR responders to Windows, Linux and Mac operating systems.

The AIR responder is a ‘zero-config’ deployment as the file name has all the information you need for quickly deploying a responder.

This level of detail in the filename provides all the information needed as a digitally signed binary - this prevents issues with security solutions and to date, not one issue has arisen.

The file name example shown here has 4 main components:

AIR.Agent_2.26.4_air-demo.binalyze.com_176_9df51c56a73341f4_amd64_.msi
  1. 2.26.4 - is the responder version number.

  2. air-demo.binalyze.com - is the address of the console with which the responder will be communicating

  3. 176 - is the console's internal organization number ID.

  4. And the apparently random mixture of letters and numbers, 9df51c56a73341f4, is the - Deployment Token.

  5. amd64 - describes the processor architecture of the machine on which the responder will run.

There are multiple ways of deploying the responder all of which are designed to be quick and scalable. Let's take a look at the different ways in which you can deploy AIR responder to endpoints:

From the Main Menu select 'Assets' and then 'All Assets' from the Secondary Menu. Now you will see the page name 'Assets' and next to that is the Action Button which for the Assets page is labeled '+ Add New.'

When this '+ Add New' button is selected three deployment options are offered in a drop-down menu:

Each one of the options will present the user with a wizard that will walk through the options needed for the chosen deployment method:

  1. Deploy New - For assets that are attached to a network that is visible to the AIR console

  2. Cloud Account - For assets that reside in AWS EC2, and Virtual Machines in Microsoft Azure.

  3. Off-Network - To generate triage and collection packages for assets that are not connected to a visible network.

Deploy Responder to New Asset Wizard

  1. When you choose 'Deploy New', you'll be prompted via a wizard to determine if the responder should establish a direct connection to the AIR console or if utilizing a Relay Server connection would be more suitable for your environment. Relay Server is explained here.

  1. The second step of the deployment wizard provides distinct deployment options for all of the currently supported, network-attached operating systems; Windows, Linux, and macOS:

Windows PowerShell Command:

  • The command varies based on the Organization affiliation. An example PowerShell command to copy is provided below:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
(New-Object System.Net.WebClient).DownloadFile("https://air-demo.binalyze.com/api/endpoints/download/0/deploy/windows?deployment-token=d297145d3b514037", "$PWD\deploy-agent.ps1")
.\deploy-agent.ps1

This command is specific to your console address and Organization.

Windows PowerShell Script:

  • This script can be downloaded from your AIR Console. Ensure you select or are working in the appropriate Organization before downloading.

<#
2022 (c) Binalyze
AIR Agent Powershell Script for Windows
PLEASE DO NOT EDIT! This file is automatically generated at 2023-10-03T15:28:51
VERSION 2.26.4
#>

<#
.SYNOPSIS
    This script installs the AIR Agent using given parameters or default values are used.
    This script requires administrator privileges!
    MSI file is temporarily stored in %LOCALAPPDATA%\binalyze\air\agent
.DESCRIPTION
    Powershell script to deploy the AIR Agent.
.PARAMETER Version
    The version of the AIR Agent to be deployed.
.PARAMETER ConsoleAddress
    The address of the AIR Console without https:// prefix, only domain address.
.PARAMETER OrganizationId
    The organization id to register the AIR Agent.
.PARAMETER DeploymentToken
    A Valid deployment token to deploy the AIR Agent.
.PARAMETER ConnectionRouteID
    Set Connection Route Id for the AIR Agent.
.PARAMETER ConnectionRouteAddress
    Set Connection Route Address for the AIR Agent.
.PARAMETER AllowInsecureTlsVersion
    Allow insecure TLS version for the AIR Agent.
#>

Param ([string]$Version="2.26.4", 
       [string]$ConsoleAddress="air-demo.binalyze.com",
       [string]$OrganizationId="176",
       [string]$DeploymentToken="9df51c56a73341f4",
       [string]$ConnectionRouteID="{{.AIR_CONNECTION_ROUTE_ID}}",
       [string]$ConnectionRouteAddress="{{.AIR_CONNECTION_ROUTE_ADDRESS}}",
       [switch]$AllowInsecureTlsVersion)

$downloadDir = "$env:LOCALAPPDATA\binalyze\air\agent"

Remove-Item $downloadDir -Force -Recurse -ErrorAction Ignore
New-Item -Path $downloadDir -ItemType Directory
Push-Location
Set-Location -Path $downloadDir

$arch = "386"
if ([Environment]::Is64BitProcess) {
    $arch = "amd64"
}

if ($ConnectionRouteID -like '{*') {
    $ConnectionRouteID = ""
}
if ($ConnectionRouteAddress -like '{*') {
    $ConnectionRouteAddress = ""
}

$fileSuffix = ""
if ($ConnectionRouteID) {
    $fileSuffix = "{0}_{1}_" -f $arch,$ConnectionRouteID
    if ($ConnectionRouteAddress) {
        $fileSuffix = "{0}{1}_" -f $fileSuffix,$ConnectionRouteAddress
    }
}

$file = "{0}\AIR.Agent_{1}_{2}_{3}_{4}_{5}.msi" -f $downloadDir,$Version,$ConsoleAddress,$OrganizationId,$DeploymentToken,$fileSuffix
$url = "https://{0}/api/endpoints/download/{1}/windows/msi/{2}?deployment-token={3}" -f $ConsoleAddress,$OrganizationId,$arch,$DeploymentToken

Write-Debug "file: $file"
Write-Debug "url:  $url"

if ($AllowInsecureTlsVersion) {
    Write-Host "Allowed insecure TLS versions for the AIR Agent. If this flag is set, the AIR Agent will connect to the AIR Console with system default TLS version"
} else {
    try {
        [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls13
    } catch {
        Write-Host "TLS1.3 and TLS1.2 is not supported on this operating system, please try to use AllowInsecureTlsVersion flag."
    }
}

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
(New-Object system.net.webclient).DownloadFile($url,$file)

Start-Process C:\Windows\System32\msiexec.exe -ArgumentList "/i $file /quiet /norestart" -Wait
Pop-Location

SCCM Deployment for Windows Agent:

  • If you prefer, the Windows agent can be deployed using SCCM with the following command:

msiexec /i AIR.Agent_2.24.2_air-demo.binalyze.com_0_d297145d3b514037_.msi /qn /norestart

For a silent installation you can use the following command:

msiexec /i AIR.Agent_2.26.4_air-demo.binalyze.com_176_9df51c56a73341f4_.msi /qn /norestart

These commands are specific to your console address and Organization.

Windows Agent MSI Download:

  • The MSI for the Windows agent can be downloaded directly from the page, as depicted in the screenshot below:

  • All three operating systems support the Shareable deployment link available in the console. This method is often the most straightforward—simply share the link with your client, allowing them to download and install the agent. An example link is shown below:

https://air-demo.binalyze.com/#/shareable-deploy?token=d297145d3b514037

macOS and Linux Deployments:

  • Unlike Windows, macOS and Linux do not utilize PowerShell commands or scripts. Instead, they can employ CURL or WGET commands. Alternatively, you can use the Shareable deployment page link mentioned above.

Example of CURL deployment command:

sudo curl -kfsSL "https://air-demo.binalyze.com/api/endpoints/download/176/deploy/darwin?deployment-token=9df51c56a73341f4" | sudo sh

Example of WGET deployment command:

sudo wget --no-check-certificate -O- "https://air-demo.binalyze.com/api/endpoints/download/176/deploy/darwin?deployment-token=9df51c56a73341f4" | sudo sh

These commands are specific to your console address and Organization.

For macOS, the user/administrator has to allow Full Disk Access to the AIR responder for it to have full access to the disk for collections.

Open “System Settings -> Privacy & Security -> Full Disk Access”

Toggle the switch 'on' to enable Full Disk Access for the AIR agent.

Last updated