Introduction

The Deployment Sensor is a software agent that must be deployed to all clients managed by COGNNA. The Deployment Sensor runs as a Service and performs tasks on the client when instructed by the COGNNA Server.

The main tasks of the COGNNA sensor start with implementing the threat-hunting process, which begins with hypothesis generation based on an understanding of the organization and its assets. Then get more in-depth by collecting data that supports our determined hypothesis. Then starting to analyze the collected data to identify potential threats and anomalies that may indicate suspicious activity, in which threat-hunting techniques are in use. Once it is confirmed to be malicious, a hunting report will be shared with the DFIR team to take action.

The MSSP admin or organization admin can do an installation, upgrade, and uninstall the sensor or any other requirements to keep your organization secure.

COGNNA’s Unique Approach

COGNNA’s sensor automates the collection of point-in-time and historic forensic triage data, enabling teams to conduct effective and efficient compromise assessments on a periodic basis. As a single solution to analyze large quantities of data, both historical and in real-time, COGNNA Sensor eliminates the need for disparate tools or data ingestion methods, simplifying analyst workflows.

System requirements

List of Tested Operating Systems

The following operating systems are tested for use with the COGNNA sensor on Windows:

OS: Windows Server 2022 Standard

Version: 10.0.20348

Build: 2009

—

OS: Windows Server 2019 Standard

Version: 10.0.17763

Build: 1809

—

OS: Windows Server 2019 Standard Core

Version: 10.0.17763

Build: 1809

—

OS: Windows Server 2016 Standard

Version: 10.0.14393

Build: 1607

—

OS: Windows Server 2016 Standard Core

Version: 10.0.14393

Build: 1607

—

OS: Windows Server 2012 R2 Standard

Version: 6.3.9600

—

OS: Ubuntu 22.04.1 LTS

Version: 22.04

Build: jammy

—

OS: Rocky Linux

Version: 9.1 to 9.3

—

OS: Rocky Linux

Version: 8.8

—

OS: Oracle Linux

Version: 8.7

—

Networking requirements

Internet access

Hosts must be able to connect to the internet. If your environment restricts internet access, you should allow traffic to the Fully Qualified Domain Names (FQDNs) or IP addresses of the endpoint. It is strongly recommended to ensure that hosts remain online.

Additionally, please make sure that the following ports are open for proper communication with our backend servers:

• Port 443/TCP: This port should be open for detect sensor, allowing secure HTTPS communication between the host and the backend servers.
• Port 8000/TCP: This port should be open for the response sensor, ensuring secure uninterrupted communication with the backend servers.

Keeping these ports open is essential for the sensors to function correctly and efficiently.

Sensor publisher verification

Windows

To verify the publisher of the sensor, you can use the following steps:

1. Right-click on the MSI file and select "Properties" from the context menu.
2. In the Properties window, click on the "Digital Signatures" tab.
3. Select the signature in the list and click on the "Details" button.
4. In the Digital Signature Details window, you can see information about the publisher of the MSI file, including the name, email address, and certificate details.
5. To verify the publisher, click on the "View Certificate" button.

1. In the Certificate window, you can see more information about the certificate used to sign the MSI file, including the name of the certificate authority that issued the certificate.

Linux

Add cognna RSA public key to the gpg store by the following command:

curl <https://keys.openpgp.org/vks/v1/by-fingerprint/71D816BF282E0FDAA326E8CFD8FB01CDF7AA3FE4|> gpg --import -

The Cognna Sensor is signed using gpg with key ID 71D816BF282E0FDAA326E8CFD8FB01CDF7AA3FE4. You can verify the signature using gpg:

$ gpg --verify cognna-\*.deb.sig

gpg: Signature made Wed Apr 19 16:51:43 2023 +03

gpg: using RSA key BD7022D84271F02A599DA590C9E6EF8CD928CA4D

gpg: Good signature from "AL-BUSSERA AL-AMANAH For cybersecurity <[email protected]>" \[unknown\]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: BD70 22D8 4271 F02A 599D A590 C9E6 EF8C D928 CA4D

macOS

% pkgutil --check-signature cognna-\*-macos.pkg

Package "cognna-response-1.0.4-macos.pkg":

Status: signed by a developer certificate issued by Apple for distribution

Signed with a trusted timestamp on: 1445-09-20 13:50:51 +0000

Certificate Chain:

1. Developer ID Installer: AL-BUSSERA AL-AMANAH FOR CYBERSECURITY COMPANY (Q57NVPDD74)

Expires: 1448-08-24 22:12:15 +0000

SHA256 Fingerprint:

A5 BB A0 A4 33 27 A8 B7 73 66 75 7C 1C 3F 1D 98 62 52 4D A8 C6 5B

DE D2 79 A0 4A 32 F3 B0 B5 7A

---------------------------------------------------------------------

2. Developer ID Certification Authority

Expires: 1448-08-24 22:12:15 +0000

SHA256 Fingerprint:

7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03

F2 9C 88 CF B0 B1 BA 63 58 7F

---------------------------------------------------------------------

3. Apple Root CA

Expires: 1456-11-30 21:40:36 +0000

SHA256 Fingerprint:

B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C

68 C5 BE 91 B5 A1 10 01 F0 24

Cognna is formally known as “AL-BUSSERA AL-AMANAH” and registered as a cybersecurity company in the Ministry of Commerce, Saudi Arabia.

Installation and Prerequisites:

Windows

Ensure you have administrative privileges “administrator” to execute the script.

Before executing the command, please ensure that the file "client.config.yaml" has been successfully downloaded onto the host machine. You can accomplish this by going to the drive and downloading it.

Once you've downloaded the "client.config.yaml" file, take note of its location. We'll need this information for the next step.

Run the following command in PowerShell:

Response and Detect:

./install-cognna-sensors-av.ps1 -f /path/to/client.config.yaml -e <enrollment_token>

Response Only:

./install-cognna-sensors-av.ps1 -f /path/to/client.config.yaml

Detect Only:

./install-cognna-sensors-av.ps1 -e <enrollment_token>

Please be mindful that if you request a site-to-site connection within the contract, you can utilize the "-v" argument to route the traffic through VPN.

./install-cognna-sensors-av.ps1 -f /path/to/client.config.yaml -e <enrollment_token> -u <Server ingestion URL> -v

"/path/to/client.config.yaml" - please ensure to adjust the command based on the specific location of the "client.config.yaml" file on your system.

After the “-e” , you should use your enrollment token, which can be found in the drive.

The "-u" is only necessary if it's shared with the enrollment token, but otherwise, it's optional.

Linux and MacOS

Ensure you have administrative privileges “root” to execute the script.

Before executing the command, please ensure that the file "client.config.yaml" has been successfully downloaded onto the host machine. You can accomplish this by going to the drive and downloading it.

Once you've downloaded the "client.config.yaml" file, take note of its location. We'll need this information for the next step.

Execute the following command in your terminal:

Response/Detect:

./install-cognna-sensors-av.sh -f /path/to/client.config.yaml -e <enrollment_token> -u <Server ingestion URL>

Response Only:

./install-cognna-sensors-av.sh -f /path/to/client.config.yaml

Detect Only:

./install-cognna-sensors-av.sh -e <enrollment_token>

Please be mindful that if you request a site-to-site connection within the contract, you can utilize the "-v" argument to route the traffic through VPN.

./install-cognna-sensors-av.ps1 -f /path/to/client.config.yaml -e <enrollment_token> -u <Server ingestion URL> -v

"/path/to/client.config.yaml" - please ensure to adjust the command based on the specific location of the "client.config.yaml" file on your system.

After the “-e”, you should use your enrollment token, which can be found in the drive.

The "-u" is only necessary if it's shared with the enrollment token, but otherwise, it's optional.

Kubernetes manifest

Copy or download the Kubernetes manifest from the Drive.
From the directory where the manifest is downloaded, run the apply command.

Detect Only:

kubectl apply -f cognna-detect-kubernetes.yml

Further Cognna Detect and Response requirements

The Cognna Detect Sensor is powered by Elastic.

Install Cognna Detect manually on macOS

To properly install and configure Cognna Detect manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before Cognna Detect can be fully functional:

Approve the system extension

Approve network content filtering

Enable Full Disk Access

Approve the system extension

For macOS, Cognna Detect will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events.

The following message appears during installation:

1. Click Open Security Preferences.
2. In the lower-left corner of the Security & Privacy pane, click the Lock button, then enter your credentials to authenticate.

1. Click Allow to allow the Elastic Endpoint system extension to load.

Approve network content filtering

After successfully loading the Elastic Endpoint system extension, an additional message appears, asking to allow Elastic Endpoint to filter network content.

• Click Allow to enable content filtering for the Elastic Endpoint system extension. Without this approval, Elastic Endpoint cannot receive network events and, therefore, cannot enable network-related features.

Enable Full Disk Access

Cognna Detect and Response (Elastic Endpoint) requires Full Disk Access to subscribe to system events to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS, you must manually approve Cognna Detect and Response.

1. Open the System Preferences application.
2. Select Security and Privacy.

1. On the Security and Privacy pane, select the Privacy tab.
2. From the left pane, select Full Disk Access.

1. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
2. In the Privacy tab, confirm that cognna-response, ElasticEndpoint AND co.elastic.systemextension are selected to properly enable Full Disk Access.

If the endpoint not showing Elastic Endpoint in allow list:

1. In the lower-left corner of the pane, click the Lock button, then enter your credentials to authenticate.
2. Click the + button to view Finder.
3. Navigate to /Library/Elastic/Endpoint, then select the elastic-endpoint file.
4. Click Open.
5. In the Privacy tab, confirm that cognna-response, elastic-endpoint AND co.elastic.systemextension are selected to properly enable Full Disk Access.

Steps may be slightly different in different MacOS versions

Uninstalling the Sensor for Windows

Uninstalling using the Control Panel

To uninstall Cognna, follow these steps:

1. Open the Windows Control Panel as an administrator.
2. Click on "Uninstall a Program."
3. Select Cognna Response / Cognna Detect from the list of programs and uninstall it.

Uninstalling the Sensor for Debian

Uninstalling using the dpkg command

• To remove cognna execute the following command:
  sudo dpkg -P cognna-response
sudo dpkg -P cognna-detect

Uninstalling the Sensor for Redhat

Uninstalling using the rpm command

• Remove the service using the following command:
  sudo yum remove cognna-response -y
sudo yum remove cognna-detect -y
• If your system using old GLIBC version
  sudo yum remove cognna-response-musl -y
sudo yum remove cognna-detect -y
  

Uninstalling the Sensor for MacOS

Uninstalling using the uninstall script

Remove the service using the following command:
sudo bash /opt/cognna/response/uninstall.sh
sudo bash /opt/cognna/detect/uninstall.sh

Uninstalling Kubernetes pod

To remove cognna-detect from kubernetes pod, execute the following command:

kubectl delete -f cognna-detect-kubernetes.yml

Troubleshooting

Installer errors

Error message:

The script 'install-cognna-sensors.ps1' cannot be run because it contains a "#requires" statement for

running as Administrator.

Recommended solution:

Run PowerShell as Administrator.

—

Error message:

Running scripts is disabled on this system.

Recommended solution:

Set-ExecutionPolicy RemoteSigned

—

Error message:

Failed, No rules installed.

Recommended solution:

Update your Sysmon Configuration

—

Error message:

An error occurred

Recommended solution:

Check your internet connection

Considerations for Existing Security Solutions

• Group Policy Objects (GPO) / Local Security Policy: Start by examining your Group Policy settings or Local Security Policy configurations. Sometimes, these policies may trigger software removal that is not installed by the group policy.
• Mobile Device Management (MDM): If your organization uses MDM solutions to manage devices, it's crucial to inspect the policies enforced on those devices. For example, a misconfigured MDM policy might be set to remove certain software deemed non-compliant with organizational standards. Check the MDM console or dashboard for any such policies affecting the software in question.
• Antivirus Software: Antivirus programs like Windows Defender, Crowdstrike, or Carbon Black may quarantine or remove applications if they detect them as potential threats. For instance, if a software file triggers a false positive in the antivirus scan, it could result in its automatic removal. Review the quarantine logs or threat detection reports in your antivirus software to see if the software was mistakenly flagged and removed.
• AppLocker: If your organization utilizes AppLocker for application control and whitelisting, inspect its rules to ensure they aren't inadvertently causing software removal. For instance, if the software isn't included in the allowed list of applications, AppLocker may prevent its execution and remove it from the system. Check the AppLocker configuration to confirm if it's affecting the software's availability.
• Third-Party Applications: Some third-party applications might have their own mechanisms for software management or removal. For example, a system optimization tool could mistakenly identify certain software as unnecessary and uninstall it during routine cleanup processes.

General Recommendation:

To ensure Our Sensors are whitelisted, follow these steps for each operating system:

Response In Windows

File Paths

c:\Program Files\Cognna\Response\cognna-response.exe (executable)

Digital signature

AL-BUSSERA AL-AMANAH For cybersecurity

Response In macOS

File paths

/opt/cognna/response/cognna-response (executable)

/opt/cognna/response/ (system extension, recursive directory structure)

Digital signature

Developer ID Installer: AL-BUSSERA AL-AMANAH FOR CYBERSECURITY COMPANY (Q57NVPDD74)

Response In Linux

File path

/usr/local/bin/cognna-response (executable)<br>/usr/local/bin/cognna-response-musl (executable)

Detect In Windows

File Paths

c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe (executable)

c:\Windows\system32\drivers\elastic-endpoint-driver.sys (ELAM driver)

c:\Windows\system32\drivers\ElasticElam.sys (driver)

Digital signature

Elasticsearch, Inc.

Elasticsearch B.V. (a secondary signature that may not continue to be used)

Detect In macOS

File paths

/Library/Elastic/Endpoint/elastic-endpoint (executable)

/Applications/ElasticEndpoint.app/ (system extension, recursive directory structure)

Digital signature

Elasticsearch, Inc (2BT3HPN62Z) (Authority/Developer ID Application)

2BT3HPN62Z (Team ID)

Detect In Linux

File path

/opt/Elastic/Endpoint/elastic-endpoint (executable)

Support

Need additional support? For additional troubleshooting information or to open a support case, send an email to [email protected]