Cado Host


How to Run Cado Host

You can either set parameters in a file (named config.cfg) or on the command line.

The parameter “light” will exclude any files over 100 Mb in size.

If no cloud storage is set, the file will remain on disk locally.

If you do not execute the application with administrative privileges there are some files you will not be able to acquire.

Cado Host is designed to be run through the command line on windows , if you execute it without the use of the command line you may be prompted by the Windows SmartScreen.

If you wish to run cado-host.exe by manually clicking it, you will have to select Properties and Untick this box:

How to Deploy Cado Host

You can execute Cado Host individually on a machine.

You may also want to deploy it to a number of machines that may be compromised, for example through Group Policy or other systems management software.

When running on Linux or OSX, you may need to set the binary as executable, i.e.:

chmod +x ./cado-host


Creating Secure Cloud Storage Credentials

It is important to use credentials with access limited to only write objects to your cloud storage. Otherwise, if an attacker finds your credentials they could compromise data.

Before using Cado Host, you will need to create secure credentials to upload with:

Using Local Storage

If you do not set a cloud storage option, files will be saved to the same folder that Cado Host is run from. You can not set a different storage location at this time.

Command Line Parameters

It is very important to follow the advice above on creating write-only credentials if you are entering credentials on the command line.

Cado Host

cado-host [options]

–light                              Exclude large files (over 100 Mb) from the collection
–storage                  The cloud storage to use (File will be stored locally if none selected)
–bucket                    The Bucket to store data in
–access_key            The Access Key
–secret_key            The Secret Key
–region                    The bucket region eg; US-EAST-1 (Optional)
–account_name        The Azure Account Name
–container_name    The Azure Container Name
–sas_string            The Azure SAS string
–gcp_bucket            The Google Cloud Bucket to store data in
–gcp_access_key    The Google Cloud Access Key
–gcp_secret_key    The Google Cloud Secret Key
–version                            Show version information
-?, -h, –help                       Show help and usage information

Example Command Line

cado-host.exe –storage aws –access_key xxx –secret_key xxx –bucket cado-live-test

Example Config.cfg

The file config.cfg should be in the same current working directory as the cado-host binary.

storage = google
light = true

access_key = xxx
secret_key = xxx
bucket = xxx

gcp_access_key = xxx
gcp_secret_key = xxx
gcp_bucket = xxx

access_signature= xxx
account_name = xxx
container_name = xxx

Collected Artefacts

Thank you to everyone that suggested artefacts that Cado Host should collect.

If there are any artefacts you think we are missing, please let us know.

Cado Host collects the following artefacts on Linux and OSX, where available:

  • .bash_history
  • .ssh/known_hosts
  • /.fseventsd
  • /Library/LaunchAgents
  • /Library/LaunchDaemons
  • /Library/Preferences/SystemConfiguration
  • /Library/Receipts/InstallHistory.plist
  • /Library/StartupItems
  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons
  • /System/Library/StartupItems
  • /etc/group
  • /etc/hosts
  • /etc/hosts.allow
  • /etc/hosts.deny
  • /etc/httpd/logs/
  • /etc/passwd
  • /etc/rc.d
  • /etc/utmp
  • /private/var/log/
  • /root/.bash_history
  • /var/adm/wtmp
  • /var/db/application_usage.sqlite
  • /var/log
  • /var/run/utmp
  • /var/run/wtmp

Cado Host collects the following artefacts on Windows, where available:

  • Running Processes
  • Active Network Connections
  • $MFT
  • ALLUSERSPROFILE\McAfee\DesktopProtection\AccessProtectionLog.txt
  • APPDATA\LocalLow\Sun\Java\Deployment\cache\6.0
  • APPDATA\Local\Apple Computer\Safari\Cookies\Cookies.binarycookies
  • APPDATA\Local\ConnectedDevicesPlatform
  • APPDATA\Local\Google\Chrome\User Data\Default\Extensions
  • APPDATA\Local\Google\Chrome\User Data\Default\History
  • APPDATA\Local\Google\Chrome\User Data\Default\Web Data
  • APPDATA\Local\Microsoft\Windows\Explorer
  • APPDATA\Local\Microsoft\Windows\FileHistory\Configuration
  • APPDATA\Local\Microsoft\Windows\UsrClass.dat
  • APPDATA\Local\Microsoft\Windows\UsrClass.dat.LOG1
  • APPDATA\Local\Microsoft\Windows\UsrClass.dat.LOG2
  • APPDATA\Local\Microsoft\Windows\WebCache
  • APPDATA\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • APPDATA\Roaming\Microsoft\Windows\Recent
  • APPDATA\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
  • APPDATA\Roaming\Mozilla\Firefox\Profiles\
  • APPDATA\Roaming\Opera\Opera\global_history.dat
  • APPDATA\Roaming\Opera\Opera\typed_history.xml
  • PROGRAMDATA\McAfee\DesktopProtection\AccessProtectionLog.txt
  • PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Startup
  • SYSTEMROOT\AppCompat\Programs\AmCache.hve
  • SYSTEMROOT\Prefetch
  • SYSTEMROOT\System32\Config\AppEvent.evt
  • SYSTEMROOT\System32\Config\SecEvent.evt
  • SYSTEMROOT\System32\Config\SysEvent.evt
  • SYSTEMROOT\System32\LogFiles\W3SVC1
  • SYSTEMROOT\System32\Tasks
  • SYSTEMROOT\System32\config\SAM
  • SYSTEMROOT\System32\config\SAM.LOG1
  • SYSTEMROOT\System32\config\SAM.LOG2
  • SYSTEMROOT\System32\config\SECURITY
  • SYSTEMROOT\System32\config\SECURITY.LOG1
  • SYSTEMROOT\System32\config\SECURITY.LOG2
  • SYSTEMROOT\System32\config\SOFTWARE
  • SYSTEMROOT\System32\config\SOFTWARE.LOG1
  • SYSTEMROOT\System32\config\SOFTWARE.LOG2
  • SYSTEMROOT\System32\config\SYSTEM
  • SYSTEMROOT\System32\config\SYSTEM.LOG1
  • SYSTEMROOT\System32\config\SYSTEM.LOG2
  • SYSTEMROOT\System32\drivers\etc\hosts
  • SYSTEMROOT\System32\sru
  • SYSTEMROOT\System32\winevt\logs
  • SYSTEMROOT\inf\setupapi.log
  • inetpub\logs\LogFiles

Cado Host – Acknowledgements


​We use a number of libraries for uploads to cloud storage:

We also use the Airframe Bootstrap theme, released under a MIT license.