🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Red Cloak™ Endpoint Agent Installation

integrations endpoints red cloak secureworks edr


Red Cloak™ Endpoint Agent Requirements

This section provides information on requirements for deploying and implementing Red Cloak™ Endpoint Agent software.

Red Cloak™ Endpoint Agent Connectivity Requirements

The below network access items must be permitted in order for the Red Cloak™ Endpoint Agent to communicate with Secureworks.

Source Destination Port/Protocol Reason
Red Cloak™ Endpoint Agent 52.4.62.128/25, 54.244.50.128/25 (cluster.b.redcloak.secureworks.com) TCP/443, TCP/17234 Red Cloak™ Endpoint Agent Connectivity
Red Cloak™ Endpoint Agent https://redcloak.secureworks.com TCP/443 Remote Agent Upgrade performed by Secureworks Support
F-Response US 3.232.239.2 (fresponse-us1.ir.secureworks.com) TCP/80 Required for safelist in the US
F-Response EU 3.71.228.46 (fresponse-eu1.ir.secureworks.com) TCP/80 Required for safelist in the EU

Data Provided from Integration

  Alerts Auth DNS File Collection HTTP NIDS Netflow Process File Modification API Call Registry Scriptblock Management Persistence Thread Injection
Red Cloak™ Windows Endpoint Agent              
Red Cloak™ Linux Endpoint Agent                        

Red Cloak™ Endpoint Agent Proxy Support

The Red Cloak™ Endpoint Agent attempts to discover local proxy settings on the host if it is unable to connect directly to the internet.

Red Cloak™ Endpoint Agent also supports a hard-coded proxy. If you need to create a Red Cloak™ Endpoint Agent that contains a hard-coded proxy, please submit a support request with the following required information:

If the proxy is configured but is unavailable or not reachable, the Red Cloak™ Endpoint Agent will fall back to a direct connection.

Note

The Red Cloak™ Endpoint Agent does not support hard-coded authenticated proxies at this time. The Red Cloak™ Endpoint Agent uses a self-signed certificate and a proxy with man in the middle (MITM) capability needs to safelist Red Cloak™ Endpoint Agent network connections.

Download the Red Cloak™ Endpoint Agent Software

You can download Red Cloak™ Endpoint Agent right from Secureworks® Taegis™ XDR.

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Downloads.
  2. Choose the tab for the desired agent type, and then select the download button for the installation package relevant to your operating system.

The Agent Downloads tab also contains a link to the GPG Key needed for Linux installation, as well as checksums for the Taegis™ Agent to verify the integrity of the package.

Once downloaded, deploy with with your preferred host management tool, or manually install on an individual endpoint.

Download Package

Download Package

If you have problems or do not have prod access yet, your Secureworks representative can provide you with a URL to download the Red Cloak™ Endpoint Agent software (MSI, RPM, or DEB). This is typically provided as part of an onboarding email.

If you wish to create a new and/or customized installation package, please submit a support request. If using a hard-coded proxy, a new Agent Package must be created that includes the proxy IP and port. The Red Cloak™ Endpoint Agent does not support authenticated proxy at this time.

Red Cloak™ Endpoint Agent Installation

Windows Agent

By default, the MSI installs without any user interaction; however, double-clicking on the MSI in an interactive session will show an installation prompt. There is no user interaction with the prompt, but it appears on the screen. To install the MSI without any session notifications, use the following command:

msiexec /i redcloak.msi /quiet /qn

Note

Antivirus products monitor systems for unusual modifications to the operating system or to installed software. The data files Red Cloak™ Endpoint Agent creates are an example of such modifications. Even though the Red Cloak™ Endpoint Agent DOES NOT modify anything that belongs to the operating system, some AV/malware protection products consider the Red Cloak™ Endpoint Agent’s own file modifications as malicious behavior and block or stop the processes. To avoid that, consider excluding the Red Cloak™ Endpoint Agent installation directories in your antivirus policy. When defining an Exception List for the Red Cloak™ Endpoint Agent, two directories should be excluded. The default installation directory for the Red Cloak™ Endpoint Agent which is %ProgramFiles(x86)%\Dell SecureWorks\Red Cloak\ and directory %ProgramFiles(x86)%\Dell SecureWorks\Ignition\ which is the default directory of the Ignition update module.

Note

The Red Cloak™ Endpoint Agent installation does not require or enforce a system restart; however, for agent versions prior to 2.8.3.0, if there are any pending reboots in your system, endpoints may reboot after the install is completed. This has been fixed in version 2.8.3.0.

Windows Agent Dependencies

Red Cloak™ Endpoint Agent for Windows is completely self-contained. It requires no DLLs or assemblies other than those that come with a base Windows system.

Note

Installing the Red Cloak™ Endpoint Agent on Windows Server 2008 R2 or Windows 7 may require the patches described in the following Microsoft support articles:

Validate Red Cloak™ Endpoint Agent for Windows Installation

A Red Cloak™ Endpoint Agent installation does not require or enforce a system restart. To validate that the software was successfully installed, follow these steps:

  1. Verify the RedCloak.exe process is running
  2. Open a command prompt with Administrator privileges.

Note

Running without Administrator privileges will also function, but will cause a new Command Prompt window to briefly display with the command results and then close as soon as the command execution ends.

  1. Navigate to the installation directory:
cd "C:\Program Files (x86)\Dell SecureWorks\Red Cloak"
  1. Execute:
redcloak.exe --check

Note

This step also confirms that connectivity to Secureworks® Taegis™ XDR is successful.


c:\Program Files (x86)\Dell SecureWorks\Red Cloak>redcloak.exe --check
...
[ INFO  ] Dell SecureWorks Red Cloak
[ INFO  ] Communications Check
[ INFO ]
[ INFO ] This process will check the communications channel between [ INFO ] this system and the servers.
...
[ **SUCCESS**  ] connection active

Linux Agent

If a local yum repository will not be used, the RPM can be transferred to individual endpoints, and the yum command can be used. For Ubuntu endpoints, proceed to the next section.

  1. Import the GPG Key for RPM validation:
rpm --import {path to key file}

Note

Find this key on the package details page using the provided download URL.

  1. Install the RPM:
yum localinstall <redcloak_filename>.rpm
  1. Change the location of core dumps.

If the system needs to generate a core dump during a default agent installation, the file is typically saved in the .exempt folder in the agent installation directory, for example /opt/secureworks/redcloak/.exempt. The size of a core dump varies between systems and can be influenced by a number of unknowable and/or unpredictable factors. To handle that, we recommend having at least 5GB of space free. If the default installation directory cannot accommodate a 5GB file, the location of the core dump can be changed. To change the location of agent core dumps, open the agent’s startup script with admin privileges. You can find the startup script in the agent’s bin folder: /opt/secureworks/redcloak/bin/redcloak_start.sh. Locate the line in the script that looks like this:

${prefix}/bin/redcloak --run-service --override-root "${prefix}"> /dev/null 2>&1 &

and change to:

${prefix}/bin/redcloak --run-service --override-root "${prefix}" --core-dump-path=PATH_TO_CHOICE_OF_PARTION > /dev/null 2>&1 &

Note: The new core dump path must exist as the Redcloak Agent will not attempt to create it.

Ubuntu Endpoints

To install the Linux Agent on Ubuntu endpoints:

  1. Import the GPG Key:
gpg --import RedCloak-GPG-Public-Key
  1. Install the agent using apt command:
sudo apt install PATH_TO_DEB

Linux Agent Dependencies

When installing the Red Cloak™ Endpoint Agent for Linux, there are dependencies that can be resolved automatically by using yum:

yum install PATH_TO_RPM

Starting with the 1.2.10.0 release th default application directory is /opt/secureworks/redcloak. If you want to install in a place other than the default /opt/secureworks directory, do the following:

  1. Install all dependencies via YUM
  2. From the command line, enter:
rpm -i --prefix DESIRED_PATH PATH_TO_RPM

--relocate is also a valid option.

The dependencies are as follows:

Validate Linux Endpoint Agent Installation

To validate that the endpoint is reporting, follow these steps:

  1. Access Secureworks® Taegis™ XDR and select Agents from the left-hand side navigation. The Manage Agents panel displays.
  2. Verify the endpoint displays in the table with pertinent information such as the Sensor version just installed.

Red Cloak™ Endpoint Agent Test Event

Windows Agent

To validate that the Red Cloak™ Endpoint Agent is functioning as expected on a Windows endpoint, please generate a test event following these instructions:

  1. On the Microsoft Windows system running the Red Cloak™ Endpoint Agent, open a command prompt.
  2. Execute the command:
notepad.exe redcloaktest
C:\>notepad.exe redcloaktest
  1. A Notepad window opens, prompting that it cannot find the file redcloaktest.txt. Select NO.

redcloaktext.txt

  1. Notify your Secureworks representative that the Red Cloak™ Endpoint Agent installation is complete.

Linux Agent

To validate that the Red Cloak™ Endpoint Agent is functioning as expected on a Linux endpoint, perform the following:

  1. Check the status of the Redcloak service:
service redcloak status
  1. Check agent connectivity to the cloud as a root user.
/opt/secureworks/redcloak/bin/redcloak --check
/opt/secureworks/redcloak/bin/redcloak --check --override-root /opt/secureworks/redcloak/
/var/opt/secureworks/redcloak/bin/redcloak --check

Review Red Cloak™ Endpoint Agent Assets

As Secureworks® Taegis™ XDR processes endpoint telemetry, a list of assets is generated. You can review these assets by navigating to Endpoint Agents from the left-hand side navigation in Secureworks® Taegis™ XDR. Your endpoint is displayed there along with other pertinent details.

 

On this page: