Dependencies
- Python 2.7.x
- git
- bottle
- requests
- yara-python
Quickstart
- Clone the project to your local directory (or download the zip file of the project)
$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r
- All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.
$make help
help - display this makefile's help information
venv - create a virtual environment for development
clean - clean all files using .gitignore rules
scrub - clean all files, even untracked files
test - run tests
test-verbose - run tests [verbosely]
check-coverage - perform test coverage checks
check-style - perform pep8 check
fix-style - perform check with autopep8 fixes
docs - generate project documentation
check-docs - quick check docs consistency
serve-docs - serve project html documentation
dist - create a wheel distribution package
dist-test - test a wheel distribution package
dist-upload - upload a wheel distribution package
- Create a virtual environment with all dependencies
$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate
- Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder
$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/
- Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.
$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...
Rastrea2r RESTful remote Yara/Triage tool for Incident Responders
positional arguments: {yara-disk,yara-mem,triage}
modes of operation
yara-disk Yara scan for file/directory objects on disk
yara-mem Yara scan for running processes in memory
triage Collect triage information from endpoint
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
Further more, the available options under each command can be viewed by executing the help option. i,e
$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule
positional arguments:
path File or directory path to scan
server rastrea2r REST server
rule Yara rule on REST server
optional arguments:
-h, --help show this help message and exit
-s, --silent Suppresses standard output
- For ex, on a Mac or Unix system you would do:
$cd src/rastrea2r/osx/
$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar
Executing rastrea2r on Windows
- Apart from the libraries specified in requirements.txt, we need to install the following libraries
- PSutil for win64: https://github.com/giampaolo/psutil
- WMI for win32: https://pypi.python.org/pypi/WMI/
- Requests: pip install requests
- Compiling rastrea2r
- Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
- Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
- Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki
Currently Supported functionality
- yara-disk: Yara scan for file/directory objects on disk
- yara-mem: Yara scan for running processes in memory
- memdump: Acquires a memory dump from the endpoint ** Windows only
- triage: Collects triage information from the endpoint ** Windows only
Notes
For memdump and triage modules, SMB shares must be set up in this specific way:
- Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
\path-to-share-foldertools
- Output is sent to a shared folder called DATA (write only)
\path-to-share-folderdata
- For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
- The RESTful API server stores data received in a file called results.txt in the same directory.
Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project
Demo videos on Youtube
- Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
- Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
- Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y
Presentations
- rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r
- https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf
- Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016
- https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a
Credits & References
- To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
- To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542
More info
- Hack Tools Online
- Beginner Hacker Tools
- Easy Hack Tools
- Hacker Tool Kit
- Pentest Tools Windows
- Hacker Hardware Tools
- New Hack Tools
- Hackers Toolbox
- Blackhat Hacker Tools
- Hacking Tools 2020
- Pentest Tools For Ubuntu
- Hack Tools For Ubuntu
- Hack Tool Apk
- Android Hack Tools Github
- Pentest Tools For Android
- World No 1 Hacker Software
- What Is Hacking Tools
- Pentest Tools Linux
- Hack Tools 2019
- Hacking Tools For Beginners
- Hacks And Tools
- Hacking Tools Kit
- Free Pentest Tools For Windows
- Hacking Tools Name
- Hacking Apps
- What Are Hacking Tools
- Pentest Tools Bluekeep
- Pentest Tools Nmap
- Pentest Tools Alternative
- Termux Hacking Tools 2019
- Hacking Tools
- Pentest Tools Find Subdomains
- Hacker Tools For Windows
- Hacking Tools And Software
- Pentest Tools For Android
- Blackhat Hacker Tools
- Hack Tools For Windows
- Hacking Tools
- Pentest Tools Github
- Hacking Tools 2020
- How To Make Hacking Tools
- Pentest Box Tools Download
- Hacking Tools For Windows 7
- Black Hat Hacker Tools
- Hacker Tools Apk
- New Hacker Tools
- Ethical Hacker Tools
- Hacking Tools Mac
- Pentest Tools Bluekeep
- Hacking Tools Github
- Ethical Hacker Tools
- Pentest Tools Website Vulnerability
- Hacking Tools For Pc
- Hacking Tools For Windows 7
- Nsa Hack Tools
- Pentest Tools Online
- Pentest Tools For Ubuntu
- Nsa Hack Tools Download
- Android Hack Tools Github
- Hacking Tools For Windows
- Hacker Tools For Pc
- Pentest Tools Tcp Port Scanner
- Hacker Tools Free
- How To Install Pentest Tools In Ubuntu
- Install Pentest Tools Ubuntu
- Hack Tools
- How To Hack
- Pentest Tools Online
- Underground Hacker Sites
- What Are Hacking Tools
- How To Make Hacking Tools
- What Is Hacking Tools
- Hacking Tools Windows
- Hacking Tools 2019
- Game Hacking
- Pentest Tools For Android
- Hackrf Tools
- Hacker Tools Apk Download
- Hack Tools For Mac
- Pentest Tools Windows
- Hacker Tools Windows
- Pentest Tools Online
- Pentest Automation Tools
- Hacking Tools And Software
- Bluetooth Hacking Tools Kali
- Hacking Tools Windows 10
- Pentest Tools Apk
- Hak5 Tools
- Hacker Tools Free Download
- Hacking Tools Software
- Pentest Tools For Ubuntu
- Pentest Tools For Ubuntu
- Hacking Tools Online
- Hacker Tools Apk Download
- Hacker Tools Free
- Hacker Security Tools
- Pentest Tools Online
- New Hack Tools
- Hack Website Online Tool
- Blackhat Hacker Tools
- Top Pentest Tools
- World No 1 Hacker Software
- Hacking Tools Hardware
- Best Pentesting Tools 2018
- Hacker Tools Linux
- Hack Tools Download
- Hacker Tools For Windows
- Computer Hacker
- Tools 4 Hack
- Nsa Hack Tools
- Hacker Tools List
- Hacking Tools For Beginners
- Hack Tools
- Growth Hacker Tools
- Hacking Tools Mac
- Free Pentest Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Url Fuzzer
- Pentest Tools For Android
- Hacker Tools Online
- Hacking Tools Free Download
- Hacker Tools For Windows
- Computer Hacker
- Hacking Tools Kit
- Physical Pentest Tools
- Pentest Tools Free
- Hacking App
- Hacking Tools 2019
- Hack Tools
- New Hack Tools
- Hacking Tools 2019
- Hacker Tools Apk Download
- Nsa Hack Tools Download
- Kik Hack Tools
- Hacking Tools Windows
- Hack Tools
- Hacking Tools For Kali Linux
- Hacker Tools Free Download
- Hack Tools For Mac
- New Hacker Tools
- Pentest Tools Find Subdomains
- Pentest Tools List
- Pentest Tools For Mac
- World No 1 Hacker Software
- Ethical Hacker Tools
- Pentest Tools Linux
- Hack Tools Pc
- How To Make Hacking Tools
- Tools For Hacker
- Hack Tools For Games
- Hacking Tools Software
- Pentest Tools For Mac
- Ethical Hacker Tools
- Hacking Tools Usb
- Underground Hacker Sites
- Tools 4 Hack
- Hacking Tools Download
- Pentest Tools List
- Pentest Tools For Windows
- Game Hacking
- Pentest Tools Github
- Hacker Tools Mac
- Pentest Tools Free
- Hack Tools Online
- Hacking Tools And Software
- How To Install Pentest Tools In Ubuntu
- Hacker Tools For Ios
- Tools Used For Hacking
- Hacking Tools Windows 10
- Hack App
- Pentest Recon Tools
- Pentest Tools Apk
- Pentest Tools For Android
- Growth Hacker Tools
- Hack And Tools
- Hacking Tools For Mac
- Best Hacking Tools 2020