Or... how to build your own Windows 1st Responder Information Acquisition Tool. Steve Mancini July 10 2007 SANS Portland 2007 1 Caveat The opinions expressed in this presentation are those of the authors (or at least the one talking) and do not reflect the opinions of our employer. Any resemblance to real persons living, dead or undead is purely coincidental. No animals were harmed in the making of this presentation or program. Any resemblance to any place in cyberspace is entirely coincidental. No other warranty expressed or implied. Contents may settle during shipment. Void where prohibited by law. Some assembly required. Batteries not included. Use only as directed. July 10 2007 SANS Portland 2007 2 About the Authors… Joe Schwendt 8 years at Intel Incident Commander for IT Emergency Response Team Responsible for recent coding engine behind RAPIER July 10 2007 Steve Mancini 10 years inside Intel Info Sec Specialist Police Reserves SANS Certs GSEC GCIH GSNA SANS Portland 2007 3 What’s in a Name? RPIER vs RAPIER Intel (R) RPIER is the name of the official GPL release of the tool. RAPIER is a GPL branch of the tool being developed external to Intel. July 10 2007 SANS Portland 2007 4 So why would you need RAPIER? Allow me to explain… April 13, 2007 2007 WA HTCIA Presentation 5 4:19am (PST) And not a creature was stirring… July 10 2007 SANS Portland 2007 6 You are here. Sleeping. Zzzzzz… July 10 2007 SANS Portland 2007 7 4:20 am – It all begins “Oooo. I wonder what getFREEporn.exe is…?” July 10 2007 SANS Portland 2007 8 Your NOC/SOC gets a call… “All I did was open the attachment and…” July 10 2007 SANS Portland 2007 9 Escalation to 2nd Lv Suport Did you update their AV? … And? Did you run Microsoft Updater? … And? July 10 2007 SANS Portland 2007 10 Time to call in “The Experts” Huh? Who is this? What time is it? YOU HAD THEM DO WHAT?!?!?! July 10 2007 SANS Portland 2007 11 Only the 1st drop in the flood… If I only had root… July 10 2007 SANS Portland 2007 12 More calls. More systems… “All I did was..” No single rain drop thinks itself the cause of the flood… July 10 2007 SANS Portland 2007 13 Expertise does not scale well… No, you run netstat user as… $(@#&*?+ !!!! July 10 2007 SANS Portland 2007 14 Steve meltdown in 5… 4… 3… http://www.Monster.com… all jobs but information security… July 10 2007 SANS Portland 2007 15 And your point is…? The worst time to learn how to acquire information from a system is during the incident. Expertise does not scale Common responses may trample valuable information patch, run AV scanners, Run spyware scanners, Execute automatic OS updater Not everyone knows how to acquire the requested information Not everyone acquires it in the same fashion July 10 2007 SANS Portland 2007 16 Incident Handling BKMs Limit # of 1st Responder decisions Automate where possible to free up incident handler’s focus for bigger event issues Provide a complete lifecycle for information gathering from start to delivery of data Expedite/simplify the acquisition of information since time is of the essence No going back. Try to gather all data that could be requested by analysts July 10 2007 SANS Portland 2007 17 Design Goals Honor the Incident Handling BKM’s Stand Alone design: rely on system files as little as possible Portability: Prefer R/W Media (USB) Open Source Rulz: Where possible, avoid software you have to pay for. Point-Click-Drool: Bundle it all in an easy to use interface July 10 2007 SANS Portland 2007 18 RAPIER Features Modular Design Fully configurable GUI SHA1 verification checksums Auto-update functionality Results can be auto-zipped Auto-uploaded to central repository Email Notification when results are received 2 Default Scan Modes – Fast/Slow Separated output for faster analysis Pre/Post run changes report Configuration File approach Process priority throttling July 10 2007 SANS Portland 2007 19 Requirements (3.0) NT based Operating System .NET Framework 1.1+ Windows Scripting Host 5.6+ Windows Management Interface 1.5+ Results Directory must be able to accommodate the size of physical RAM x 1.5. July 10 2007 SANS Portland 2007 20 Under the Hood: RAPIER Architecture July 10 2007 SANS Portland 2007 21 RAPIER: Work Flow Download RAPIER bundle from site Update engine and modules (as necessary) Select modules to be run, configure (as necessary) Execute RAPIER Upload sends the results to deignated location Notify sends an email to analysts Analyze the results (see more on this later) July 10 2007 SANS Portland 2007 22 RAPIER Networking It is possible to enhance RAPIER by implementing over network: Uses the http (optionally https) protocol for all communication Port is configurable (non-port 80 is recommended) Multiple servers can be setup for redundancy/load balancing Enables the following features: Distribution Auto-update functionality Auto-upload functionality Central Results Repository Central Documentation Resource (Manual/Training/FAQ) Manual RAPIER upload and non-RAPIER upload July 10 2007 SANS Portland 2007 23 Initiate Program Load RAPIER.Conf file Interpret command line options Auto Update check (Optional) Auto Update if necessary (Optional) Restart EXE (if updated) Load Modules Display GUI (Optional) July 10 2007 SANS Portland 2007 24 Program Execution Pre-Run MAC Checkpoint (Optional) Run Each Selected Module Post-Run MAC Checkpoint and Differential Analysis (Optional) Compress results (Optional) Upload results (Optional) Send Email Notification (Optional) July 10 2007 SANS Portland 2007 25 RAPIER Modules July 10 2007 SANS Portland 2007 26 Module Architecture Based on VBScript RAPIER.vbi is a large library of VBScript functions to reference Modules can have individual conf files to allow for end user configuration Modules are stand alone Can be added/removed at will Allows for independent development/testing July 10 2007 SANS Portland 2007 27 Familiar Programs Behind the module wrapper are programs most incident handlers are familiar with: Auditpol.exe Md5sums.exe Dumpsec from somarsoft sysinternals listdlls.exe, handle.exe Pasco.exe / galleta.exe Dumpel.exe Macmatch.exe Net * Fport.exe Netstat, nbtstat July 10 2007 Promqry.exe Reg3.exe Secheck.exe Winaudit from parmavex Streams.exe dd.Exe Pmdump.exe Hfind.exe Stegdetect.exe MBSA SANS Portland 2007 28 Feature Module Output Volatile Information complete list of running processes locations of those processes on disk ports those processes are using Checksums for all running processes Dump memory for all running processes All DLLS currently loaded and their checksum Capture last Modify/Access/Create times for designated areas All files that are currently open Net (start/share/user/file/session) Output from nbtstat and netstat Document all open shares/exports on system Capture current routing tables list of all network connections Layer3 traffic samples capture logged in users July 10 2007 Static Information System Name Basic system info (peripherals, BIOS, drivers, etc) System Startup Commands MAC address List of installed services Local account and policy information Current patches installed on system Current AV versions Files with alternate data streams Discover files marked as hidden List of all installed software on system (known to registry) Capture system logs Capture of AV logs Copies of application caches (temporary internet files) – IE, FF, Opera Export entire registry Search/retrieve files based on search criteria. SANS Portland 2007 29 System Configuration Volatile Information complete list of running processes locations of those processes on disk ports those processes are using Checksums for all running processes Dump memory for all running processes All DLLS currently loaded and their checksum Capture last Modify/Access/Create times for designated areas All files that are currently open Net (start/share/user/file/session) Output from nbtstat and netstat Document all open shares/exports on system Capture current routing tables list of all network connections Layer3 traffic samples capture logged in users July 10 2007 Static Information System Name Basic system info (peripherals, BIOS, drivers, etc) System Startup Commands MAC address List of installed services Local account and policy information Current patches installed on system Current AV versions Files with alternate data streams Discover files marked as hidden List of all installed software on system (known to registry) Capture system logs Capture of AV logs Copies of application caches (temporary internet files) Export entire registry Search/retrieve files based on search criteria. SANS Portland 2007 30 Processes Volatile Information complete list of running processes locations of those processes on disk ports those processes are using Checksums for all running processes Dump all running processes All DLLS currently loaded and their checksum Capture last Modify/Access/Create times for designated areas All files that are currently open Net (start/share/user/file/session) Output from nbtstat and netstat Document all open shares/exports on system Capture current routing tables list of all network connections Layer3 traffic samples capture logged in users July 10 2007 Static Information System Name Basic system info (peripherals, BIOS, drivers, etc) System Startup Commands MAC address List of installed services Local account and policy information Current patches installed on system Current AV versions Files with alternate data streams Discover files marked as hidden List of all installed software on system (known to registry) Capture system logs Capture of AV logs Copies of application caches (temporary internet files) Export entire registry Search/retrieve files based on search criteria. SANS Portland 2007 31 Networking Volatile Information complete list of running processes locations of those processes on disk ports those processes are using Checksums for all running processes Dump memory for all running processes All DLLS currently loaded and their checksum Capture last Modify/Access/Create times for designated areas All files that are currently open Net (start/share/user/file/session) Output from nbtstat and netstat Document all open shares/exports on system Capture current routing tables list of all network connections Layer3 traffic samples capture logged in users July 10 2007 Static Information System Name Basic system info (peripherals, BIOS, drivers, etc) System Startup Commands MAC address List of installed services Local account and policy information Current patches installed on system Current AV versions Files with alternate data streams Discover files marked as hidden List of all installed software on system (known to registry) Capture system logs Capture of AV logs Copies of application caches (temporary internet files) Export entire registry Search/retrieve files based on search criteria. SANS Portland 2007 32 Logs & Cache Information Volatile Information complete list of running processes locations of those processes on disk ports those processes are using Checksums for all running processes Dump memory for all running processes All DLLS currently loaded and their checksum Capture last Modify/Access/Create times for designated areas All files that are currently open Net (start/share/user/file/session) Output from nbtstat and netstat Document all open shares/exports on system Capture current routing tables list of all network connections Layer3 traffic samples capture logged in users July 10 2007 Static Information System Name Basic system info (peripherals, BIOS, drivers, etc) System Startup Commands MAC address List of installed services Local account and policy information Current patches installed on system Current AV versions Files with alternate data streams Discover files marked as hidden List of all installed software on system (known to registry) Capture system logs Capture of AV logs Copies of IE, FF, Opera caches (temporary internet files) Export entire registry Search/retrieve files based on search criteria. SANS Portland 2007 33 Files Volatile Information complete list of running processes locations of those processes on disk ports those processes are using Checksums for all running processes Dump memory for all running processes All DLLS currently loaded and their checksum Capture last Modify/Access/Create times for designated areas All files that are currently open Net (start/share/user/file/session) Output from nbtstat and netstat Document all open shares/exports on system Capture current routing tables list of all network connections Layer3 traffic samples capture logged in users July 10 2007 Static Information System Name Basic system info (peripherals, BIOS, drivers, etc) System Startup Commands MAC address List of installed services Local account and policy information Current patches installed on system Current AV versions Files with alternate data streams Discover files marked as hidden List of all installed software on system (known to registry) Capture system logs Capture of AV logs Copies of application caches (temporary internet files) Export entire registry Search/retrieve files based on search criteria. SANS Portland 2007 34 Output Format: ASCII text Each module produces own output Easier to disperse/manage results Default path uses date & time Good for “Before & After” executions July 10 2007 SANS Portland 2007 35 Output Sample: AuditPol ========================================================== LogFile Located at G:\RAPIER\3.1A2\Results\***\2007-04-12\22-47\AuditPolicy.log RAPIER Library Version=2005.06.06.01 System Name=PXPL4626 Build Info=Intel Corporation Intel Corporation User Processor(s) Quantity and Name=2xGenuine Intel(R) CPU T2400 @ 1.83GHz Module Name=AuditPolicy Description=Windows Audit Policy status Execute Time=Thur 2007/04/12 22:58:08 Running ... (X) Audit Enabled System = Success and Failure Logon = Success and Failure Object Access = No Privilege Use = No Process Tracking = No Policy Change = Success and Failure Account Management = Success and Failure Directory Service Access = No Account Logon = Success and Failure Execute Duration (in seconds)=2 July 10 2007 SANS Portland 2007 36 Output Sample: RAPIER LOG 2007-04-12 2007-04-12 47 2007-04-12 2007-04-12 2007-04-12 2007-04-12 2007-04-12 22:47:25: RAPIER 3.2.2652.36045 started 22:47:25: Results Directory: G:\Results\****\2007-04-12\2222:47:26: Importing Modules 22:47:27: Added AuditPolicy to the Module List 22:47:27: Added Checksums to the Module List 22:47:27: Added CmdLines to the Module List 22:47:27: Added Drivers to the Module List …. 2007-04-12 2007-04-12 2007-04-12 2007-04-12 July 10 2007 22:58:06: 22:58:09: 22:58:09: 23:00:06: Running AuditPolicy Module AuditPolicy took 2 seconds to execute Running Checksums Module Checksums took 116 seconds to execute SANS Portland 2007 37 Interpreting the Results To teach you this would require several months (years?) of training and education in operating systems internals, hacking techniques, malware behavior, etc. Ultimately, the results must be reviewed by people with sufficient knowledge of your environment to be able to discern the odd from the routine. July 10 2007 SANS Portland 2007 38 Over the Horizon RAPIER 3.2 Alpha 2 Remote Execution Dynamic Binary Renaming Identify Initiator VISTA support Full x64 support New Modules (Opera, FireFox, Rootkits) SignaCert Module New License: LGPL July 10 2007 SANS Portland 2007 39 Latest Modules Implemented Drivers FFCookies FFCache FFHistory July 10 2007 In Development HeliosLite IceSword OperaCookies OperaHistory OperaCache SANS Portland 2007 40 Tool Release http://code.google.com/p/rapier/source Build Notes: Certain modules rely upon licensed software, or on tools we could not get permission to bundle with a LGPL license. We’ve made it as easy as possible – acquire these on your own and drop into Module folders to get them working. July 10 2007 SANS Portland 2007 41 Gratitude Lawrence Baldwin (SecCheck*) Jem Berkes (md5sums*) Frank Heynes (LADS* tool) Nir Sofer (cprocess* ) Arne Vidstrom (macmatch*, pmdump*) Kevin Stanush (dumpsec*) Parmavex Software (winaudit*) And special thanks to Jesse Kornblum for FRED* as a source of inspiration. July 10 2007 SANS Portland 2007 42 Contributions & Feedback Have an idea for module? Have code ready to drop into a module we don’t already have? Have ideas how to improve it? Contact us: RAPIER.securitytool@gmail.com July 10 2007 SANS Portland 2007 43 Questions? Thank You… Thanks to SANS and Mike Poor for pimping my tool. July 10 2007 SANS Portland 2007 44
© Copyright 2025