Incident Response Archives - Page 3 of 11

RegRipper3.0

Posted on June 13, 2022January 22, 2025 by randrada

Endpoint Incident Response using - RegRipper

RegRipper is an open source forensic software application developed by Harlan Carvey, and what it does is extract data from the Windows Registry, ranging from user-related registry to system registry and etc.

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

RegRipper

Posted on June 9, 2022June 13, 2022 by randrada

Endpoint Incident Response using - RegRipper

RegRipper is an open source forensic software application developed by Harlan Carvey and what it does is it extracts data from Windows Registry ranging from user related registry to system registry and etc.

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

In an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice burg, a responder must gather evidences, artifacts and data about the compromised systems and having the right tool to execute these actions is a must not only it automates everything but it also help the responder to reduce the time to solve the issue.

Automate Artifact Collection

RegRipper: Ripping SAM Registry Hive

In this demo, we will try create a test account named “MaliciousAccount” and use RegRipper to extract the data from SAM hive.

First, extract the data from the Registry using RegRipper the examiner must provide the Registry Hive and the location where the logs will be saved.

Then, if all requirements are provided click Rip! to start the execution.

#note: RegRipper uses a series of plugins to parse information from the Hive file then it logs the output and save in a .txt format

RegRipper: SAM Hive Logs

Now, using RegRipper to extract data from our SAM Hive we can see our newly created user account and its particular details that can be used during investigation such as Account Created Date and Time.

RegRipper: Ripping SOFTWARE Registry Hive

Now, Let’s try to see what is inside SOFTWARE Registry Hive and what data is then extracted by RegRipper.

RegRipper parse the Hive and gives us the following details:

- - Launched Installer and its details
  - Last Logged On
  - MSI Package Installed
  - Network Cards Details
  - Network Profile
  - Run Registry key which is a common destination for Persistence
  - Scheduled Task under TaskCache Registry Key

#Note: There are a lot of information and for the sake of demo I just cited some of it. Feel free to explore 🙂

RegRipper: Ripping SYSTEM Registry Hive

Last Hive we’re about to tackle in this demo is SYSTEM Registry Hive, we won’t be able to tackle all in details and it’s up to you to explore and see it for yourself 🙂

By using RegRipper to parse SYSTEM hive it gives us the following details:

- - AppCompatCache and this can be used as an artifact for evidence of execution.
  - Mounted Device such as External Devices (USB)
  - System Services
  - ShimCache that can be also used as an artifact for evidence of execution
  - USBTor which can be used as an artifact to view history of USB usage inside the system

#Note: For the sake of demo, we only cited the details that are easily understood. We will not cite all information for you to explore its usage. Again, feel free to explore and find what suits your need 🙂

BrowsingHistory

Posted on June 7, 2022January 22, 2025 by randrada

Endpoint Incident Response using - BrowsingHistory

BrowsingHistory is a utility that reads the history data of different Web browsers(Mozille Firefox, Google Chrome, IE, Edge, Opera and etc) and displays the browsing history of all these Web browsers on a table.

The browsing history table including the following information:

- - Visited URL
  - Title
  - Visit Time
  - Visit Count
  - Web Browser
  - User Profile

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

BLUESPAWN

Posted on June 7, 2022January 22, 2025 by randrada

Endpoint Incident Response using - BLUESPAWN

BLUESPAWN by ION28 is an active defense and endpoint detection and response tool, which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it does automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

DeepBlue CLI

Posted on June 7, 2022January 22, 2025 by randrada

Endpoint Incident Response using - DeepBlue CLI

DeepBlueCLI by Eric Conrad is a powershell module that can be used for Threat Hunting and Incident Response via Windows Event Logs.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a mus. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

Memoryze DriverWalklist

Posted on June 4, 2022January 24, 2025 by randrada

FireEye Incident Response using - DriverWalkList.bat

Memoryze DriverWalkList.bat is a tool inside FireEye’s famous Memoryze. What it does is executes DriverAuditModuleList.Batch.xml to enumerate a linked list in the kernel called PsLoadedModuleList.

DriverWalkList.bat is used to enumerate all modules and drivers in a linked list.

DriverWalkList.bat has its set of paramaters:

- - –input – name of image to parse (omit -input for live memory)
  - -output – directory in which to write results. Defaults to ./Audits

Related Tools

Memoryze DriverSearch

Posted on June 4, 2022January 24, 2025 by randrada

FireEye Incident Response using - DriverSearch.bat

Memoryze DriverSearch.bat is a tool inside FireEye’s famous Memoryze. What it does is execute DriverAuditSignature.Batch.xml to find all loaded drivers using a signature.

DriverSearch.bat is basically used to find drivers.

DriverDD.bat has its set of paramaters:

- - –input – name of image to parse (omit -input for live memory)
  - -imports – true | false enumerates the drive’s imports.
  - -exports – true | false enumerate the driver’s imports.
  - -MD5 – true | false hash the driver on disk. (Default: false)
  - -SHA1 – true | false hash the driver on disk. (Default: false)-
  - -SHA256 – true | false hash the driver on disk. (Default: false)
  - -digsig -true|false verify if the driver is signed on disk(Default:false)
  - -strings -true|false inspect all the strings of a process (Default:false)
  - -output – directory in which to write results. Defaults to ./Audits

Related Tools

Memoryze Process

Posted on June 4, 2022January 24, 2025 by randrada

FireEye Incident Response using - Process.bat

Memoryze Process.bat is a tool inside FireEye’s famous Memoryze. What it does is executes ProcessAuditMemory.Batch.xml to acquire specified information, such as open ports, files, keys, memory sections, and strings, on a given process or all processes.

Process.bat enumerates everything about a process, including handles, virtual memory, network ports, and strings.

Process.bat has its set of paramaters:

- - –input – name of image to parse (omit -input for live memory)
  - –pid – PID of the process to acquire. Default: 4294967295 which is equivalent to all PIDs.
  - –process – optional name of the process to inspect. (Default: excluded)
  - -handles – true | false inspect all process handles. (Default: false)
  - -sections -true | false inspect all process memory ranges.(Default:false)
  - -ports – true | false inspect all the ports of a process. (Default:false)
  - –imports –true|false enumerate the EXE’ and DLLs’ imports(Default:false)
  - –exports – true|false enumerate the EXE’ and DLLs’ exports.Default:false)
  - -MenD5 – true | false hash the EXE and DLLs in memory. (Default: false)
  - –SHA1 – true | false hash the EXE and DLLs on disk. (Default: false)
  - –SHA256 – true | false hash the EXE and DLLs on disk. (Default: false)
  - –digsig – true|false verify if the EXE and DLLs are signed on disk. (Default: false)
  - –strings –true|false inspect all the strings of a process.(Default:false)
  - -content – only acquired processes that contains a particular regex content. (Default: NULL)
  - -output – directory in which to write results. Defaults to ./Audits

Related Tools

Memoryze DriverDD

Posted on June 4, 2022January 24, 2025 by randrada

FireEye Incident Response using - DriverDD.bat

Memoryze DriverDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireDriver.Batch.xml to acquire a specified driver in memory, or all drivers.

DriverDD.bat has its set of paramaters:

- - –input – name of image to parse (omit -input for live memory)
  - –driver – name of driver to acquire (if not specified all drivers are acquired)
  - -output – directory in which to write results. Defaults to ./Audits

Related Tools

Memoryze ProcessDD

Posted on June 4, 2022January 24, 2025 by randrada

FireEye Incident Response using - ProcessDD.bat

Memoryze ProcessDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireProcessMemory.Batch.xml to acquire a specified process’ address space, including the stack, the heap, DLLs, EXEs, and NLS files.

ProcessDD.bat has its set of paramaters:

- - –input – name of image to parse (omit -input for live memory)
  - –pid – PID of the process to acquire. Required without process name.
  - –process – process name of the process to acquire. Required without PID. directory in which to write results. Defaults to ./Audits
  - -content – only acquired processes that contains a particular regex content. (Default: NULL)
  - -output – directory in which to write results. Defaults to ./Audits

Related Tools