Deploying Cado Host
Deploy through Cado Response Platform
In order to deploy Cado Host, you can choose from one of the following deployment methods:
- Use the Script Builder from within the Cado Response Platform. This allows you to build a script which can be run on any supported device, upload the triage artifacts to cloud storage and automatically process the data into Cado Response.
- Use the Direct Download method. This allows customers to download and run Cado Host independent of running Cado Response.
Using Script Builder
In order to deploy Cado Host via the Script Builder in the Cado Response platform, follow the instructions below. Note that when using the Script Builder in AWS, the pre-signed URLs and API keys expire 2 hours after being generated and AWS enforces a limit of 5GB total upload size.
Ensure that the devices on which the scripts will be run have HTTPS access to the AWS S3 endpoint. For example: https://<BUCKET_NAME>.s3.amazonaws.com/
- Find the Cado Host deployment options on the platform under
Project > Import > Cado Host.
-
Select either Direct Download or Script Builder. Direct Download can be used if you are downloading the Cado Host binary to your endpoints directly, via Group Policy or via a MDM tool. Script Builder will generate a script that can be run directly on a device via a terminal window, cmd window or remote script execution tool.
-
If you choose the Script Builder tab, select your OS, cloud storage (where the Cado Host ZIP will be uploaded to) and then the Cado Host binary deployment method.
tipIf you select Manual under
Select Cado Host Binary deployment, download the Cado Host binary to your devices, then copy and paste the command generated for you, into your terminal. -
Copy the pre-generated command to the device and run it, or click the "Download Script" button and run that script on the device.
Using Direct Download
If wish to download the Cado Host binary for manual deployment, select your OS, click Download and then follow the instructions to run Cado Host locally.
Running as non-administrator
Cado Host is designed to be executed through the commandline. If you do not execute the application with administrative privileges there are some artifacts you will not be able to acquire, such as memory and other files that are locked by the operating system.
Windows SmartScreen
On Microsoft Windows, if you execute it without the use of the command line, you may be prompted by the Windows SmartScreen. If you wish to run cado-host.exe by manually clicking it, you will have to select Properties and Untick this box:
Setting the Binary as Executable on Linux and OSX
When running on Linux or OSX, you may need to set the binary as executable:
chmod +x ./cado-host
./cado-host
Creating Secure Cloud Storage Credentials
We now recommend using the automatically created temporary credentials generated by Cado Response.
If you are not using Cado Response, yet still want to automatically store the Cado Host collected data to the cloud, you'll need to create credentials with limited write access to your cloud storage.
To create secure credentials to upload the Cado Host collected data to the cloud, follow the instructions below based on your cloud provider of choice:
- Creating Secure Credentials for Azure
- Creating Secure Credentials for AWS
- Creating Secure Credentials for Google Cloud Storage
Using Local Storage
If you do not set a cloud storage option, files will be saved to the same folder that Cado Host is run from. You can not set a different storage location at this time.
Deploying Cado Host to Multiple Devices
You can execute Cado Host individually on a device or you can deploy it to a number of machines that may be compromised, for example through Group Policy or other systems management software.
Deployment from XDR Integrations
You can deploy Cado Host to machines that may be compromised, for example through XDR systems such as Crowdstrike and SentinelOne. For more, see SentinelOne and Crowdstrike.
Setting a custom location for Cado Host
You can set a custom location from which Cado Host will be deployed from both the Import>Cado Host option, and the container acquisitions which utilise Cado Host.
This can be set under Settings > Advanced:
This may be useful if you wish to deploy Cado Host from your own environment, or perform your own static analysis of any binaries before they are deployed.
It is important that the Cado Host binary is the latest version for compatibility.
For example, if the latest official URL for the Cado Host Linux binary is https://official-cado-bucket.s3-accelerate.amazonaws.com/cado-host/v1.5.4/linux/cado-host and you are hosting the binaries under http://example.com/my-folder/
- Enter http://example.com/my-folder/ as the URL
- Ensure that http://example.com/my-folder/cado-host/v1.5.4/linux/cado-host exists
Please ensure that binaries are present for all operating systems to ensure collections can succeed in all environments:
- /linux/cado-host
- /windows/cado-host.exe
- /osx/cado-host
- /osx/cado-host-x86