Or how to build your own Windows 1 Responder Information...

2/21/2007 2007 CRIME Presentation 1

Or... how to build your own Windows 1st

Responder Information Acquisition Tool.

Steve Mancini


Caveat

The opinions expressed in this presentation are those of the authors (or at least the

one talking) and do not reflect the opinions of our employer.

No animals were harmed in the making of this presentation or program.

Any resemblance to real persons living, dead or undead is purely coincidental.

Any resemblance to any place in cyberspace is entirely coincidental.

No other warranty expressed or implied.

Contents may settle during shipment.

Void where prohibited by law.

Some assembly required.

Batteries not included.

Use only as directed.


About the Authors…

Joe Schwendt

� 8 years at Intel

� Incident Commander for IT Emergency Response Team

� Responsible for recent coding engine behind RAPIER

Steve Mancini

� 10 years inside Intel

� Info Sec Specialist

� PRS

� SANS Certs� GSEC

� GCIH

� GSNA


What’s in a Name?

RPIER vs RAPIER

Intel (R) RPIER is the name of the official GPL release of the tool.

RAPIER is a GPL branch of the tool being developed external to Intel.


What is RAPIER?

ra·pi·er /rey-pee-er/

–noun

1. a longer, heavier sword, esp. of the 16th and 17th centuries, having a double-edged blade and used for slashing and thrusting.

3. a modular incident response framework designed to acquire commonly requested information during an internal event, incident, or investigation in an easy, consistent manner.

4. RRegimented Automated Potential Incident Examination Report

RAPIER was a way for a unix guy (Steve) to gather windows data in the middle of a crisis without thinking.


So why would you need RAPIER?

Allow me to explain…


4:19am (PST)

And not a creature was stirring…


You are here. Sleeping.

Zzzzzz…


4:20 am – It all begins

“Oooo. I wonder what muhaha.exe is…?”


Your NOC/SOC gets a call…

“All I did was open the attachment and…”


Escalation to 2nd Lv Suport

Did you update their AV? … And?Did you run Microsoft Updater? … And?


Time to call in “The Experts”

Huh? Who is this? What time is it?YOU HAD THEM DO WHAT?!?!?!


Only the 1st drop in the flood…

If I only had root…


More calls. More systems…“All I did was..”

No single rain drop thinks itself the cause of the flood…


Expertise does not scale well…

No, you run netstat user as…$(@#&*?+ !!!!


Meltdown in 5… 4… 3…

http://www.Monster.com…all jobs but information security…


And your point is…?

� The worst time to learn how to acquire information from a system is during the incident.

� Expertise does not scale

� Common responses trample valuable information� patch, � run AV scanners, � Run spyware scanners, � Execute automatic OS updater

� Not everyone knows how to acquire the requested information

� Not everyone acquires it in the same fashion


Incident Handling BKMs

� Limit # of 1st Responder decisions

� Automate where possible to free up incident handler’s focus for bigger event issues

� Provide a complete lifecycle for information gathering from start to delivery of data

� Expedite/simplify the acquisition of information since time is of the essence

� No going back. Try to gather all data that could be requested by analysts


Design Goals

� Stand Alone design: rely on system files as little as possible

� Portability: Prefer R/W Media (USB)

� Open Source Rulz: Where possible, avoid software you have to pay for.

� Point-Click-Drool: Bundle it all in an easy to use interface


RAPIER Features

� Modular Design � Fully configurable GUI� SHA1 verification checksums� Auto-update functionality� Results can be auto-zipped � Auto-uploaded to central

repository � Email Notification when

results are received� 2 Default Scan Modes –

Fast/Slow� Separated output for faster

analysis� Pre/Post run changes report� Configuration File approach� Process priority throttling


Requirements (3.0)

� NT based Operating System

� .NET Framework 1.1+

� Windows Scripting Host 5.6+

� Windows Management Interface 1.5+

� Results Directory must be able to accommodate the size of physical RAM x 1.5.


Under the Hood:

RAPIER Architecture


RAPIER: Work Flow

Download RAPIER bundle from siteUpdate engine and modules (as necessary)Select modules to be run, configure (as necessary)Execute RAPIERUpload sends the results to deignated locationNotify sends an email to analystsAnalyze the results (see more on this later)


RPIER Networking

It is possible to enhance RAPIER by implementing over network:

� Uses the http (optionally https) protocol for all communication

� Port is configurable (non-port 80 is recommended)

� Multiple servers can be setup for redundancy/load balancing

� Enables the following features:

� Distribution

� Auto-update functionality

� Auto-upload functionality

� Central Results Repository

� Central Documentation Resource (Manual/Training/FAQ)

� Manual RPIER upload and non-RPIER upload


Initiate Program

� Load RPIER.Conf file

� Interpret command line options

� Auto Update check (Optional)

� Auto Update if necessary (Optional)

� Restart EXE (if updated)

� Load Modules

� Display GUI (Optional)


Program Execution

� Pre-Run MAC Checkpoint (Optional)

� Run Each Selected Module

� Post-Run MAC Checkpoint and Differential Analysis (Optional)

� Compress results (Optional)

� Upload results (Optional)

� Send Email Notification (Optional)


RAPIER Modules


Module Architecture

� Based on VBScript

� RPIER.vbi is a large library of VBScript functions to reference

� Modules can have individual conf files to allow for end user configuration

� Modules are stand alone

� Can be added/removed at will

� Allows for independent development/testing


Familiar Programs

Auditpol.exe

Md5sums.exe

Dumpsec from somarsoft

sysinternals listdlls.exe, handle.exe

Pasco.exe / galleta.exe

Dumpel.exe

Macmatch.exe

Net *

Fport.exe

Netstat, nbtstat

Behind the module wrapper are programs most incident handlers are familiar with:

Promqry.exeReg3.exeSecheck.exeWinaudit from parmavexStreams.exedd.Exe Pmdump.exeHfind.exeStegdetect.exeMBSA


Feature Module Output

Volatile Information

� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running processes� Dump memory for all running processes

� All DLLS currently loaded and their checksum

� Capture last Modify/Access/Create times for designated areas

� All files that are currently open

� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on

system� Capture current routing tables

� list of all network connections � Layer3 traffic samples� capture logged in users

Static Information

� System Name� Basic system info (peripherals, BIOS,

drivers, etc)� System Startup Commands� MAC address

� List of installed services� Local account and policy information� Current patches installed on system� Current AV versions� Files with alternate data streams

� Discover files marked as hidden� List of all installed software on system

(known to registry)� Capture system logs � Capture of AV logs

� Copies of application caches (temporary internet files)

� Export entire registry� Search/retrieve files based on search

criteria.


Processes


� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running

processes

� Dump memory for all running processes



� All files that are currently open� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on

system� Capture current routing tables� list of all network connections � Layer3 traffic samples� capture logged in users

Static Information








criteria.


Networking






� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports

on system� Capture current routing tables


Static Information








criteria.


Logs & Cache Information









Static Information








criteria.


Files









Static Information







� Export entire registry� Search/retrieve files based on

search criteria.

s3

s3 proces pagenetworking pagefile page

system statelogs / caches10557482, 2/18/2007


System Configuration









Static Information

� System Name� Basic system info (peripherals,

BIOS, drivers, etc)� System Startup Commands� MAC address

� List of installed services� Local account and policy

information� Current patches installed on system� Current AV versions

� Files with alternate data streams� Discover files marked as hidden� List of all installed software on system

(known to registry)� Capture system logs

� Capture of AV logs� Copies of application caches (temporary

internet files)� Export entire registry� Search/retrieve files based on search

criteria.


Output

� Format: ASCII text

� Each module produces own output

� Easier to disperse/manage results

� Default path uses date & time

� Good for “Before & After” executions


Interpreting the Results

To teach you this would require several months (years?) of training and education in operating systems internals, hacking techniques, malware behavior, etc.

Ultimately, the results must be reviewed by people with sufficient knowledge of your environment to be able to discern the odd from the routine.


Over the Horizon

Where do we go from here?

� VISTA validation

� *NIX

� More Modules! (of course)

� Alternate output formats

� Program to parse output for interesting results – akaDIRK


Tool Release

https://sourceforge.net/projects/RPIER/https://sourceforge.net/projects/RPIER/

http://code.google.com/p/rapier/sourcehttp://code.google.com/p/rapier/source

Build Notes:

� Certain modules rely upon licensed software, or on tools we could not get permission to bundle with a GPL license.

� We’ve made it as easy as possible – acquire these on your own and drop into Module folders to get them working.


Gratitude

Lawrence Baldwin (SecCheck*)

Jem Berkes (md5sums*)

Frank Heynes (LADS* tool)

Nir Sofer (cprocess* )

Arne Vidstrom (macmatch*, pmdump*)

Kevin Stanush (dumpsec*)

Parmavex Software (winaudit*)

And special thanks to Jesse Kornblum for FRED* as a source of inspiration.


Contributions & Feedback

Have an idea for module?

Have code ready to drop into a module we don’t already have?

Have ideas how to improve it?

Contact us:

[email protected]@[email protected]@gmail.com


Questions?

Or how to build your own Windows 1 Responder Information...

Documents

Transcript of Or how to build your own Windows 1 Responder Information...