Or how to build your own Windows 1 Responder Information...
Transcript of Or how to build your own Windows 1 Responder Information...
2/21/2007 2007 CRIME Presentation 1
Or... how to build your own Windows 1st
Responder Information Acquisition Tool.
Steve Mancini
2/21/2007 2007 CRIME Presentation 2
Caveat
The opinions expressed in this presentation are those of the authors (or at least the
one talking) and do not reflect the opinions of our employer.
No animals were harmed in the making of this presentation or program.
Any resemblance to real persons living, dead or undead is purely coincidental.
Any resemblance to any place in cyberspace is entirely coincidental.
No other warranty expressed or implied.
Contents may settle during shipment.
Void where prohibited by law.
Some assembly required.
Batteries not included.
Use only as directed.
2/21/2007 2007 CRIME Presentation 3
About the Authors…
Joe Schwendt
� 8 years at Intel
� Incident Commander for IT Emergency Response Team
� Responsible for recent coding engine behind RAPIER
Steve Mancini
� 10 years inside Intel
� Info Sec Specialist
� PRS
� SANS Certs� GSEC
� GCIH
� GSNA
2/21/2007 2007 CRIME Presentation 4
What’s in a Name?
RPIER vs RAPIER
Intel (R) RPIER is the name of the official GPL release of the tool.
RAPIER is a GPL branch of the tool being developed external to Intel.
2/21/2007 2007 CRIME Presentation 5
What is RAPIER?
ra·pi·er /rey-pee-er/
–noun
1. a longer, heavier sword, esp. of the 16th and 17th centuries, having a double-edged blade and used for slashing and thrusting.
3. a modular incident response framework designed to acquire commonly requested information during an internal event, incident, or investigation in an easy, consistent manner.
4. RRegimented Automated Potential Incident Examination Report
RAPIER was a way for a unix guy (Steve) to gather windows data in the middle of a crisis without thinking.
2/21/2007 2007 CRIME Presentation 6
So why would you need RAPIER?
Allow me to explain…
2/21/2007 2007 CRIME Presentation 7
4:19am (PST)
And not a creature was stirring…
2/21/2007 2007 CRIME Presentation 8
You are here. Sleeping.
Zzzzzz…
2/21/2007 2007 CRIME Presentation 9
4:20 am – It all begins
“Oooo. I wonder what muhaha.exe is…?”
2/21/2007 2007 CRIME Presentation 10
Your NOC/SOC gets a call…
“All I did was open the attachment and…”
2/21/2007 2007 CRIME Presentation 11
Escalation to 2nd Lv Suport
Did you update their AV? … And?Did you run Microsoft Updater? … And?
2/21/2007 2007 CRIME Presentation 12
Time to call in “The Experts”
Huh? Who is this? What time is it?YOU HAD THEM DO WHAT?!?!?!
2/21/2007 2007 CRIME Presentation 13
Only the 1st drop in the flood…
If I only had root…
2/21/2007 2007 CRIME Presentation 14
More calls. More systems…“All I did was..”
No single rain drop thinks itself the cause of the flood…
2/21/2007 2007 CRIME Presentation 15
Expertise does not scale well…
No, you run netstat user as…$(@#&*?+ !!!!
2/21/2007 2007 CRIME Presentation 16
Meltdown in 5… 4… 3…
http://www.Monster.com…all jobs but information security…
2/21/2007 2007 CRIME Presentation 17
And your point is…?
� The worst time to learn how to acquire information from a system is during the incident.
� Expertise does not scale
� Common responses trample valuable information� patch, � run AV scanners, � Run spyware scanners, � Execute automatic OS updater
� Not everyone knows how to acquire the requested information
� Not everyone acquires it in the same fashion
2/21/2007 2007 CRIME Presentation 18
Incident Handling BKMs
� Limit # of 1st Responder decisions
� Automate where possible to free up incident handler’s focus for bigger event issues
� Provide a complete lifecycle for information gathering from start to delivery of data
� Expedite/simplify the acquisition of information since time is of the essence
� No going back. Try to gather all data that could be requested by analysts
2/21/2007 2007 CRIME Presentation 19
Design Goals
� Stand Alone design: rely on system files as little as possible
� Portability: Prefer R/W Media (USB)
� Open Source Rulz: Where possible, avoid software you have to pay for.
� Point-Click-Drool: Bundle it all in an easy to use interface
2/21/2007 2007 CRIME Presentation 20
RAPIER Features
� Modular Design � Fully configurable GUI� SHA1 verification checksums� Auto-update functionality� Results can be auto-zipped � Auto-uploaded to central
repository � Email Notification when
results are received� 2 Default Scan Modes –
Fast/Slow� Separated output for faster
analysis� Pre/Post run changes report� Configuration File approach� Process priority throttling
2/21/2007 2007 CRIME Presentation 21
Requirements (3.0)
� NT based Operating System
� .NET Framework 1.1+
� Windows Scripting Host 5.6+
� Windows Management Interface 1.5+
� Results Directory must be able to accommodate the size of physical RAM x 1.5.
2/21/2007 2007 CRIME Presentation 22
Under the Hood:
RAPIER Architecture
2/21/2007 2007 CRIME Presentation 23
RAPIER: Work Flow
Download RAPIER bundle from siteUpdate engine and modules (as necessary)Select modules to be run, configure (as necessary)Execute RAPIERUpload sends the results to deignated locationNotify sends an email to analystsAnalyze the results (see more on this later)
2/21/2007 2007 CRIME Presentation 24
RPIER Networking
It is possible to enhance RAPIER by implementing over network:
� Uses the http (optionally https) protocol for all communication
� Port is configurable (non-port 80 is recommended)
� Multiple servers can be setup for redundancy/load balancing
� Enables the following features:
� Distribution
� Auto-update functionality
� Auto-upload functionality
� Central Results Repository
� Central Documentation Resource (Manual/Training/FAQ)
� Manual RPIER upload and non-RPIER upload
2/21/2007 2007 CRIME Presentation 25
Initiate Program
� Load RPIER.Conf file
� Interpret command line options
� Auto Update check (Optional)
� Auto Update if necessary (Optional)
� Restart EXE (if updated)
� Load Modules
� Display GUI (Optional)
2/21/2007 2007 CRIME Presentation 26
Program Execution
� Pre-Run MAC Checkpoint (Optional)
� Run Each Selected Module
� Post-Run MAC Checkpoint and Differential Analysis (Optional)
� Compress results (Optional)
� Upload results (Optional)
� Send Email Notification (Optional)
2/21/2007 2007 CRIME Presentation 27
RAPIER Modules
2/21/2007 2007 CRIME Presentation 28
Module Architecture
� Based on VBScript
� RPIER.vbi is a large library of VBScript functions to reference
� Modules can have individual conf files to allow for end user configuration
� Modules are stand alone
� Can be added/removed at will
� Allows for independent development/testing
2/21/2007 2007 CRIME Presentation 29
Familiar Programs
Auditpol.exe
Md5sums.exe
Dumpsec from somarsoft
sysinternals listdlls.exe, handle.exe
Pasco.exe / galleta.exe
Dumpel.exe
Macmatch.exe
Net *
Fport.exe
Netstat, nbtstat
Behind the module wrapper are programs most incident handlers are familiar with:
Promqry.exeReg3.exeSecheck.exeWinaudit from parmavexStreams.exedd.Exe Pmdump.exeHfind.exeStegdetect.exeMBSA
2/21/2007 2007 CRIME Presentation 30
Feature Module Output
Volatile Information
� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running processes� Dump memory for all running processes
� All DLLS currently loaded and their checksum
� Capture last Modify/Access/Create times for designated areas
� All files that are currently open
� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on
system� Capture current routing tables
� list of all network connections � Layer3 traffic samples� capture logged in users
Static Information
� System Name� Basic system info (peripherals, BIOS,
drivers, etc)� System Startup Commands� MAC address
� List of installed services� Local account and policy information� Current patches installed on system� Current AV versions� Files with alternate data streams
� Discover files marked as hidden� List of all installed software on system
(known to registry)� Capture system logs � Capture of AV logs
� Copies of application caches (temporary internet files)
� Export entire registry� Search/retrieve files based on search
criteria.
2/21/2007 2007 CRIME Presentation 31
Processes
Volatile Information
� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running
processes
� Dump memory for all running processes
� All DLLS currently loaded and their checksum
� Capture last Modify/Access/Create times for designated areas
� All files that are currently open� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on
system� Capture current routing tables� list of all network connections � Layer3 traffic samples� capture logged in users
Static Information
� System Name� Basic system info (peripherals, BIOS,
drivers, etc)� System Startup Commands� MAC address
� List of installed services� Local account and policy information� Current patches installed on system� Current AV versions� Files with alternate data streams
� Discover files marked as hidden� List of all installed software on system
(known to registry)� Capture system logs � Capture of AV logs
� Copies of application caches (temporary internet files)
� Export entire registry� Search/retrieve files based on search
criteria.
2/21/2007 2007 CRIME Presentation 32
Networking
Volatile Information
� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running processes� Dump memory for all running processes
� All DLLS currently loaded and their checksum
� Capture last Modify/Access/Create times for designated areas
� All files that are currently open
� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports
on system� Capture current routing tables
� list of all network connections � Layer3 traffic samples� capture logged in users
Static Information
� System Name� Basic system info (peripherals, BIOS,
drivers, etc)� System Startup Commands� MAC address
� List of installed services� Local account and policy information� Current patches installed on system� Current AV versions� Files with alternate data streams
� Discover files marked as hidden� List of all installed software on system
(known to registry)� Capture system logs � Capture of AV logs
� Copies of application caches (temporary internet files)
� Export entire registry� Search/retrieve files based on search
criteria.
2/21/2007 2007 CRIME Presentation 33
Logs & Cache Information
Volatile Information
� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running processes� Dump memory for all running processes
� All DLLS currently loaded and their checksum
� Capture last Modify/Access/Create times for designated areas
� All files that are currently open
� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on
system� Capture current routing tables
� list of all network connections � Layer3 traffic samples� capture logged in users
Static Information
� System Name� Basic system info (peripherals, BIOS,
drivers, etc)� System Startup Commands� MAC address
� List of installed services� Local account and policy information� Current patches installed on system� Current AV versions� Files with alternate data streams
� Discover files marked as hidden� List of all installed software on system
(known to registry)� Capture system logs � Capture of AV logs
� Copies of application caches (temporary internet files)
� Export entire registry� Search/retrieve files based on search
criteria.
2/21/2007 2007 CRIME Presentation 34
Files
Volatile Information
� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running processes� Dump memory for all running processes
� All DLLS currently loaded and their checksum
� Capture last Modify/Access/Create times for designated areas
� All files that are currently open
� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on
system� Capture current routing tables
� list of all network connections � Layer3 traffic samples� capture logged in users
Static Information
� System Name� Basic system info (peripherals, BIOS,
drivers, etc)� System Startup Commands� MAC address
� List of installed services� Local account and policy information� Current patches installed on system� Current AV versions� Files with alternate data streams
� Discover files marked as hidden� List of all installed software on system
(known to registry)� Capture system logs � Capture of AV logs
� Copies of application caches (temporary internet files)
� Export entire registry� Search/retrieve files based on
search criteria.
s3
Slide 34
s3 proces pagenetworking pagefile page
system statelogs / caches10557482, 2/18/2007
2/21/2007 2007 CRIME Presentation 35
System Configuration
Volatile Information
� complete list of running processes� locations of those processes on disk� ports those processes are using� Checksums for all running processes� Dump memory for all running processes
� All DLLS currently loaded and their checksum
� Capture last Modify/Access/Create times for designated areas
� All files that are currently open
� Net (start/share/user/file/session)� Output from nbtstat and netstat� Document all open shares/exports on
system� Capture current routing tables
� list of all network connections � Layer3 traffic samples� capture logged in users
Static Information
� System Name� Basic system info (peripherals,
BIOS, drivers, etc)� System Startup Commands� MAC address
� List of installed services� Local account and policy
information� Current patches installed on system� Current AV versions
� Files with alternate data streams� Discover files marked as hidden� List of all installed software on system
(known to registry)� Capture system logs
� Capture of AV logs� Copies of application caches (temporary
internet files)� Export entire registry� Search/retrieve files based on search
criteria.
2/21/2007 2007 CRIME Presentation 36
Output
� Format: ASCII text
� Each module produces own output
� Easier to disperse/manage results
� Default path uses date & time
� Good for “Before & After” executions
2/21/2007 2007 CRIME Presentation 37
Interpreting the Results
To teach you this would require several months (years?) of training and education in operating systems internals, hacking techniques, malware behavior, etc.
Ultimately, the results must be reviewed by people with sufficient knowledge of your environment to be able to discern the odd from the routine.
2/21/2007 2007 CRIME Presentation 38
Over the Horizon
Where do we go from here?
� VISTA validation
� *NIX
� More Modules! (of course)
� Alternate output formats
� Program to parse output for interesting results – akaDIRK
2/21/2007 2007 CRIME Presentation 39
Tool Release
https://sourceforge.net/projects/RPIER/https://sourceforge.net/projects/RPIER/
http://code.google.com/p/rapier/sourcehttp://code.google.com/p/rapier/source
Build Notes:
� Certain modules rely upon licensed software, or on tools we could not get permission to bundle with a GPL license.
� We’ve made it as easy as possible – acquire these on your own and drop into Module folders to get them working.
2/21/2007 2007 CRIME Presentation 40
Gratitude
Lawrence Baldwin (SecCheck*)
Jem Berkes (md5sums*)
Frank Heynes (LADS* tool)
Nir Sofer (cprocess* )
Arne Vidstrom (macmatch*, pmdump*)
Kevin Stanush (dumpsec*)
Parmavex Software (winaudit*)
And special thanks to Jesse Kornblum for FRED* as a source of inspiration.
2/21/2007 2007 CRIME Presentation 41
Contributions & Feedback
Have an idea for module?
Have code ready to drop into a module we don’t already have?
Have ideas how to improve it?
Contact us:
[email protected]@[email protected]@gmail.com
2/21/2007 2007 CRIME Presentation 42
Questions?