THEVLAD: Remote execution and triage tool via EDRs API

Analysis-oriented command line tool for remote execution and triage via EDRs API

Table of Contents

1. About The Project
2. Usage
3. Examples
4. Microsoft Defender XDR
5. Roadmap

About The Project

The goal of this project is to create a unique tool that allows easy execution of tools and collection of outputs remotely using the APIs available in current EDR/XDRs and abstracting from the manufacturer.

This allows researchers to execute their own tools or interact with EDRs from their own scripts and tools in a simple way.

And of course... just for fun!

Usage

DOWNLOAD EXECUTABLE

Copy portable executable of TheVlad to the investigator machine where you want to perform the analysis, execution or triage

Command Line Options

vlad.py [-h] [-V] -c CLIENT -v VENDOR [-l LIST_ENDPOINTS] [-s SEARCH_ENDPOINTS] [-x BASE64_COMMAND] [-m MACHINEID] [-b BINARY] [-d DOWNLOAD_FILE] [-f FORCE_EXECUTION]

Examples

Download of a file via Microsoft Defender XDR API

python3 vlad.py -c XXXXXX -v MDATP -m XXXXXX -d C:\Users\XXXXXX\Desktop\POC.png -f

Procdump remote execution via Microsoft Defender XDR API

python3 vlad.py -c XXXXXX -v MDATP -m XXXXXX -b C:\Users\XXXXXX\Downloads\Procdump\procdump.exe -x U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggInByb2NkdW1wIiAtQXJndW1lbnRMaXN0ICItYWNjZXB0ZXVsYSAtbWEgNTU4NCAgQzpcIg== -f

---

SentinelOne: Uploading and Executing Binaries

Note: When using SentinelOne (-v SENTINEL), binaries must be provided as a ZIP file. The contents will be extracted on the remote endpoint, and you must reference the extracted files using the environment variable $ENV:S1_PACKAGE_DIR_PATH (PowerShell) or $S1_PACKAGE_DIR_PATH (Bash).

Example:

python3 vlad.py -c COMPANY01 -v SENTINEL -x Y2F0ICRFTlY6UzFfUEFDS0FHRV9ESVJfUEFUSFxXZWxjb21lLnR4dA== -b .\package\Welcome.zip -m 2169614728921510233

Where the encoded command is:

cat $ENV:S1_PACKAGE_DIR_PATH\Welcome.txt

This will execute cat Welcome.txt inside the extracted ZIP folder.

---

CrowdStrike: Passing Arguments to Binaries

Note: For CrowdStrike (-v CROWDSTRIKE), when executing binaries, you must pass arguments using the -CommandLine parameter. The command should be base64-encoded as usual.

Example:

python3 vlad.py -c COMPANY2 -v CROWDSTRIKE -m 8a335603babf4125a5xxxxx50933b18f8 -x bmV0YWdlbnQuZXhlIC1Db21tYW5kTGluZT0iODA4MCw5MDkwIg== -b .\binaries\netagent.exe

Where the encoded command is:

netagent.exe -CommandLine="8080,9090"

This will execute netagent.exe with the specified arguments on the remote endpoint.

---

Trend Micro Vision One (TMV1)

• Standard script execution and file collection are supported.
• No special packaging or argument requirements.

---

Supported Vendors

Vendor	Code	Notes
Microsoft Defender XDR	MDATP	Standard usage.
Trend Micro Vision One	TMV1	Standard usage.
SentinelOne	SENTINEL	Binaries must be ZIP files. Use $ENV:S1_PACKAGE_DIR_PATH to reference extracted files.
CrowdStrike	CROWDSTRIKE	Arguments must be passed via -CommandLine.

---

Advanced Usage Tips

• Base64 Encoding: All commands passed with -x must be base64-encoded.
• Binary Uploads: Use -b to upload a binary. For SentinelOne, this must be a ZIP file.
• Machine ID: Always required for actions targeting a specific endpoint (-m).
• Force Action: Use -f to cancel pending tasks before executing a new one.

---

Example Table

Scenario	Command Example
Download file (MDATP)	python3 vlad.py -c X -v MDATP -m X -d C:\file.txt -f
Run script (TMV1)	python3 vlad.py -c X -v TMV1 -m X -x <base64_command>
Run ZIP binary (SENTINEL)	python3 vlad.py -c X -v SENTINEL -m X -b .\file.zip -x <base64_command>
Run binary with args (CROWDSTRIKE)	python3 vlad.py -c X -v CROWDSTRIKE -m X -b .\file.exe -x <base64_command_with_CommandLine>

---

Microsoft defender XDR

Live response requirements and limitations

Requirements

Devices must be running one of the following:

• Windows 11
• Windows 10
  • Version 1909 or later
  • Version 1903 with KB4515384
  • Version 1809 (RS 5) with KB4537818
  • Version 1803 (RS 4) with KB4537795
  • Version 1709 (RS 3) with KB4537816
• Windows Server 2019 - Only applicable for Public preview
  • Version 1903 or (with KB4515384) later
  • Version 1809 (with KB4537818)
• Windows Server 2022
• macOS (Additional configuration profiles: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide)
  • 13 (Ventura)
  • 12 (Monterey)
  • 11 (Big Sur)
• Linux (Supported Linux server distributions and kernel versions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) **Microsoft 365 Defender Portal Features Required **

Live response limitations

• 25 response sessions at a time
• Idle time for a session is 30 minutes.
• Individual live response commands have a time limit of 10
• Getfile, findfile and run have a limit of 30 minutes
• A single user can initiate 10 concurrent sessions
• A device can only be in one session

The following file size limits are applicable:

• getfile limit: 3 GB
• fileinfo limit: 30 GB
• library limit: 250 MB

Source: https://jeffreyappel.nl/how-to-troubleshoot-live-response-in-defender-for-endpoint/

Microsoft Defender XDR Limitations

• 10 calls per minute limit
• 25 concurrently running sessions
• RunScript timeout after 10 minutes
• Live response commands can’t be queued up and can only be executed one at a time.
• Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions won’t be executed.
• When RBAC grouping is enabled the automated remediation level must be assigned, at least with a minimum Remediation Level
• Multiple live response sessions can’t be executed on the same machine

More Info: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/run-live-response?view=o365-worldwide

Roadmap

• Add real-life scenarios
• Add SentinelOne Support
• Add Crowdstrike Support
• Add Cortex Support
• Add TrendMicro Vision One Support

(back to top)