Automated Collection & Enrichment (ACE) is an open-source tool designed for agentless threat hunting across Windows and macOS/Linux systems, requiring only local admin access. It performs scans without writing data to disk, outputs results in JSON for easy integration with SIEMs, and is free to use. Future enhancements include simplified deployment, expanded scanning capabilities, and additional enrichment features.

1. Automated Collection &
Enrichment (ACE)
Jared Atkinson & Robby Winchester

2. Overview
● Concept
● Setup
○ System Requirements
○ Architecture
○ System Management
● Collection
● Automation
● Enrichment
● Data Export
● Future

3. What is ACE
● An open source solution that enables agentless threat
hunting in an environment
● Allows for scanning of remote Windows and macOS/Linux
systems
○ Only requires Local Admin access
○ macOS requires SSH enabled for a “sudoer” account
● Can perform host scans or be scheduled for routine use in
an enterprise

4. Why ACE?
● As consultants performing Compromise Assessments, we
rarely have the authority or ability to alter a
customer’s environment to support assessment operations
● No external dependencies or agent to install
● Executes solely in memory with nothing being written to
disk
● JSON formatted output allows for easy ingestion into SIEM
of choice
● It’s free!

5. Architecture Overview
Scan to Target Systems
Download Script & Return Results
Enriched Data
Target Network
Management
System
Scan Tasking
ACE

6. ACE Architecture
Enrichments
- Enriches scan data
- Outputs data from ACE
ACE Management
- Hosts users/computers/creds
- Backend management of ACE
Web Server
- Initiates scan activity
- Hosts scanning scripts
- Receives host data
Management
System
- Performs tasking

7. System Management
● Users - Internal ACE system accounts
○ Create, Enumerate, Remove, Update
● Credentials - Credentials to target systems
○ Add, Enumerate
● Scripts - Scans being run on remote systems
○ Add, Enumerate
● Computers - Computers in target environment
○ AD & Computer List Discovery

8. System Management
Web Server
Enrichments
ACE Management
Management
System
Add/R
em
ove
AC
E
O
bjects
ACE information
(Users/Credentials/Computers)
Discovery

9. Automation
● Architecture of ACE allows for easy configuration and use
● Schedule scans
○ Time in future
○ Repeat Scan ‘x’ times at ‘y’ interval
○ Can specify desired scripts/computers per scan
● Take care of collection process behind the scenes
○ Tasking and script execution
○ Upload of completed scan data

10. Automation
Web Server
Download
Scripts
Scheduling
Results
Enrichments
ACE Management
Management
System
Relay
Tasking
Access ACE Information for Scan

11. Collection
● Scripts
○ Windows - PowerShell (PS v2 compatible)
○ macOS/Linux - Python (2.7 with no dependencies)
● Downloaded and executed from the Web Server
● Results uploaded to web server via HTTPS POST requests

12. Collection
Web Server
Download
Scripts
Scan
Taskings
Results
Enrichments
ACE Management
Management
System
Relay
Tasking
Access ACE Information for Scan

13. Enrichment
● RabbitMQ messaging system used for enrichment
○ Queues and exchanges used to manage the data
○ Uses AMQP 0.9.1 messaging protocol
● Currently supports public API VirusTotal enrichment
● Allows for easy additional custom enrichments
○ Currently all written in C#, however RabbitMQ is supported in Python,
Java, Ruby, PHP, JavaScript, Go, Elixir, Objective-C, Swift, and
Spring AMQP

14. Enrichment
Web Server
Scan
Results
Enrichments
ACE Management
Management
System
Scan Results for Enrichment
Enriched Data

15. Pre_Hash
File
SIEM
X
ACE
Exchange
VirusTotal
Hash Match
C
FileWriter
C
SIEM
P
ACE Web
Server
C/P
RabbitMQ Enrichment Process

16. Data Export
● Enriched data can currently be exported from ACE two ways
○ Pulled from a RabbitMQ Queue straight to a SIEM (such as ELK)
■ Logstash can map to RabbitMQ input
○ Written out to flat files
● All data is formatted as one object per line flat JSON
○ Easily can import into SIEM of choice for analysis

17. Future Enhancements
● Simplified Deployment - 4 Aug
● Sweep Tracking - ~2 months
● Additional Scanning Scripts - Ongoing
○ Add wider Linux/Unix support
○ Additional Windows scripts
● Additional Protocol Support - Ongoing
● Additional Enrichments - Ongoing
○ IP Reputation
● Web GUI - TBD