TruxtonService.xml

From truxwiki.com
Jump to navigation Jump to search

This file contains the information for turning a machine into a Truxton Exploitation node. The Truxton Service is responsible for keeping the correct number of exploitation processes running.

Truxton Service

Checks once per minute to see if ETLs and Services are running. If a monitored process is missing, a new one will be started in its place. When the service is stopped, all monitored processes are shutdown.

The TruxtonService.xml file is stored in the %ProgramData%\Truxton\Settings (usually C:\ProgramData) folder.

Configuration File

The Truxton Service uses the Configuration System to gather options.

Settings

purger

Truxton has expiration dates for media. The default expiration date of media is 99 years from when it was loaded. This setting governs if this instance of the Truxton Service will query the database for expired media and automatically delete it.

employed

When set to true, this instance of Truxton Service will spawn ETL processes and monitor them.

work_schedule

This section specifies when ETL processes are allowed to run. Each day of the week can have a different schedule. When the services comes on duty, it will start the ETL processes. When it goes off duty, it will gracefully stop the ETL processes.

etl

This section defines an ETL process. the exe element describes how the ETL should run and what the name of the executable file is.

  • controllable - This attribute tells the Truxton Service if the ETL was written using Truxton libraries. This allows the ETL to be cleanly stopped by the Truxton Service.
  • instances - This integer controls the number of simultaneous processes the service will keep running.
  • queue - The name of the message queue that this ETL uses.

service

A service will run as long as the Truxton Service is running. It is immune from the work schedule.

shutdownmachine

This setting will power the loader machine off when the ETLs go idle for a while. This is handy if you have spun up several VMs and don't want them to run when there's nothing to do.

Sample Configuration File

This section contains a sample configuration file from a running machine. One of the things we try to do in Truxton is to log where things came from. Notice the first comment in the file, it logs who created the configuration file and when.

<root>
  <truxton_options>
  <!-- This Truxton service configuration file was created 2020-05-14 14:55:35 by TruxtonService.exe running as SYSTEM from the machine named DESKTOP-5NRI5PO (10.0.0.172). -->
    <service_configuration_version>1840023666788</service_configuration_version>
  <!-- There should only be one purger of expired media on your network -->
    <purger>yes</purger>
    <work_schedule>
    <!-- If this service is not employed, the service will run but no ETLs will be allowed to run -->
      <employed>yes</employed>
      <monday>
        <on_duty>0000-2359</on_duty>
      </monday>
      <tuesday>
        <on_duty>0000-2359</on_duty>
      </tuesday>
      <wednesday>
        <on_duty>0000-2359</on_duty>
      </wednesday>
      <thursday>
        <on_duty>0000-2359</on_duty>
      </thursday>
      <friday>
        <on_duty>0000-2359</on_duty>
      </friday>
      <saturday>
        <on_duty>0000-2359</on_duty>
      </saturday>
      <sunday>
        <on_duty>0000-2359</on_duty>
      </sunday>
    </work_schedule>
    <emptyqueuethresholdseconds>3600</emptyqueuethresholdseconds>
    <etls>
      <etl>
        <description>This consumes BOLOs and creates Alerts.</description>
        <exe controllable="yes" instances="1" queue="alert">Alert</exe>
      </etl>
      <etl>
        <description>This expands archive files.</description>
        <exe controllable="yes" instances="1" queue="archives">Archives</exe>
      </etl>
      <etl>
        <description>This carves free space for files.</description>
        <exe controllable="yes" instances="1" queue="carve">Carve</exe>
        <arguments>-carve_threads 0</arguments>
      </etl>
      <etl>
        <description>This generates video contact sheets, the 10x10 grid of images taken throughout the video.</description>
        <exe controllable="yes" instances="1" queue="contactsheet">ContactSheet</exe>
      </etl>
      <etl>
        <description>This parses MIME email files.</description>
        <exe controllable="yes" instances="1" queue="email">EMail</exe>
      </etl>
      <etl>
        <description>This is the main file expander service.</description>
        <exe controllable="yes" instances="4" queue="expand">Expand</exe>
      </etl>
      <etl>
        <description>This performs final processing after all files are present. It performs count queries and updates statistics.</description>
        <exe controllable="yes" instances="1" queue="finishedstage">Finished</exe>
      </etl>
      <etl>
        <description>This identifies file contents and routes accordingly.</description>
        <exe controllable="yes" instances="1" queue="identify">Identify</exe>
      </etl>
      <etl>
        <description>This is a loader as an ETL. It has the responsibility to expand files and load media.</description>
        <exe controllable="yes" instances="1" queue="load">Load</exe>
        <arguments>-lq load</arguments>
      </etl>
      <etl>
        <description>This coordinates the poly file expansion process.</description>
        <exe controllable="yes" instances="1" queue="poly">Poly</exe>
      </etl>
      <etl>
        <description>This finds the all of the pieces of multi-part archives and expands them.</description>
        <exe controllable="yes" instances="1" queue="pfe">PolyFileExpander</exe>
      </etl>
      <etl>
        <description>This exploits Windows registry files.</description>
        <exe controllable="yes" instances="1" queue="registry">Registry</exe>
      </etl>
      <etl>
        <description>This exports registry files to the local filesystem, spawns RegRipper.exe, grabs the result and makes it a child file of the registry file.</description>
        <exe controllable="yes" instances="1" queue="regripper">RegRipper</exe>
      </etl>
      <etl>
        <description>This spawns executables to expand files then kills them when done.</description>
        <exe controllable="yes" instances="1" queue="remoteexpand">RemoteFileExpander</exe>
      </etl>
      <etl>
        <description>This generates the reports.</description>
        <exe controllable="yes" instances="1" queue="report">Report</exe>
      </etl>
      <etl>
        <description>This keeps the SOLR service running.</description>
        <exe controllable="yes" instances="1" queue="solrcontentstage">SOLR</exe>
      </etl>
      <etl>
        <description>This sends files to SOLR for content indexing.</description>
        <exe controllable="yes" instances="1" queue="solrfile">SOLRFile</exe>
      </etl>
      <etl>
        <description>This reassembles fragments of carved files into the correct order for viewing.</description>
        <exe controllable="yes" instances="1" queue="stitch">Stitch</exe>
      </etl>
      <etl>
        <description>This extracts text from files.</description>
        <exe controllable="yes" instances="1" queue="tqueue">TextExtract</exe>
      </etl>
      <etl>
        <description>This generates small thumbnail images from larger images.</description>
        <exe controllable="yes" instances="2" queue="thumbnail">Thumbnail</exe>
      </etl>
      <etl>
        <description>This uses Yara to scan files for the rules you specify. Normally this is a malware scanner.</description>
        <exe controllable="yes" instances="1" queue="yara">Yara</exe>
      </etl>
    </etls>
    <services>{Solr 5 Server||$TextIndexerData$Search/bin/solr.cmd|start -p 8983 -m 5416m -a &quot;-XX:-UsePerfData&quot;|$TextIndexerData$Search/bin/solr.cmd|stop -p 8983|java.exe|jetty.port=8983},</services>
  <!-- The shutdownmachine boolean value tells Truxton if it should power down the server once all ETLs go idle -->
    <shutdownmachine>false</shutdownmachine>
  </truxton_options>
</root>

Adding Your Own ETL Process

When you want to add to Truxton's ETL layer, add a new etl subelement to the etls element.

<etls>
  ... Other etl elements here ...
  <etl>
    <description>This is our ETL that decrypts PGP encrypted files</description>
    <exe controllable="yes" instances="2" queue="unpgp">c:\My\Path\To\UnPGP.exe</exe>     
  </etl>
</etls>