Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!
Dependencies
- Python 2.7.x
- git
- bottle
- requests
- yara-python
Quickstart
- Clone the project to your local directory (or download the zip file of the project)
$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r
- All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.
$make help
help - display this makefile's help information
venv - create a virtual environment for development
clean - clean all files using .gitignore rules
scrub - clean all files, even untracked files
test - run tests
test-verbose - run tests [verbosely]
check-coverage - perform test coverage checks
check-style - perform pep8 check
fix-style - perform check with autopep8 fixes
docs - generate project documentation
check-docs - quick check docs consistency
serve-docs - serve project html documentation
dist - create a wheel distribution package
dist-test - test a wheel distribution package
dist-upload - upload a wheel distribution package
- Create a virtual environment with all dependencies
$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate
- Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder
$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/
- Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.
$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...
Rastrea2r RESTful remote Yara/Triage tool for Incident Responders
positional arguments: {yara-disk,yara-mem,triage}
modes of operation
yara-disk Yara scan for file/directory objects on disk
yara-mem Yara scan for running processes in memory
triage Collect triage information from endpoint
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
Further more, the available options under each command can be viewed by executing the help option. i,e
$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule
positional arguments:
path File or directory path to scan
server rastrea2r REST server
rule Yara rule on REST server
optional arguments:
-h, --help show this help message and exit
-s, --silent Suppresses standard output
- For ex, on a Mac or Unix system you would do:
$cd src/rastrea2r/osx/
$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar
Executing rastrea2r on Windows
- Apart from the libraries specified in requirements.txt, we need to install the following libraries
- PSutil for win64: https://github.com/giampaolo/psutil
- WMI for win32: https://pypi.python.org/pypi/WMI/
- Requests: pip install requests
- Compiling rastrea2r
- Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
- Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
- Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki
Currently Supported functionality
- yara-disk: Yara scan for file/directory objects on disk
- yara-mem: Yara scan for running processes in memory
- memdump: Acquires a memory dump from the endpoint ** Windows only
- triage: Collects triage information from the endpoint ** Windows only
Notes
For memdump and triage modules, SMB shares must be set up in this specific way:
- Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
\path-to-share-foldertools
- Output is sent to a shared folder called DATA (write only)
\path-to-share-folderdata
- For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
- The RESTful API server stores data received in a file called results.txt in the same directory.
Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project
Demo videos on Youtube
- Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
- Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
- Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y
Presentations
- rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r
- https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf
- Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016
- https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a
Credits & References
- To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
- To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542
More info
- Hack Tools Online
- Beginner Hacker Tools
- Easy Hack Tools
- Hacker Tool Kit
- Pentest Tools Windows
- Hacker Hardware Tools
- New Hack Tools
- Hackers Toolbox
- Blackhat Hacker Tools
- Hacking Tools 2020
- Pentest Tools For Ubuntu
- Hack Tools For Ubuntu
- Hack Tool Apk
- Android Hack Tools Github
- Pentest Tools For Android
- World No 1 Hacker Software
- What Is Hacking Tools
- Pentest Tools Linux
- Hack Tools 2019
- Hacking Tools For Beginners
- Hacks And Tools
- Hacking Tools Kit
- Free Pentest Tools For Windows
- Hacking Tools Name
- Hacking Apps
- What Are Hacking Tools
- Pentest Tools Bluekeep
- Pentest Tools Nmap
- Pentest Tools Alternative
- Termux Hacking Tools 2019
- Hacking Tools
- Pentest Tools Find Subdomains
- Hacker Tools For Windows
- Hacking Tools And Software
- Pentest Tools For Android
- Blackhat Hacker Tools
- Hack Tools For Windows
- Hacking Tools
- Pentest Tools Github
- Hacking Tools 2020
- How To Make Hacking Tools
- Pentest Box Tools Download
- Hacking Tools For Windows 7
- Black Hat Hacker Tools
- Hacker Tools Apk
- New Hacker Tools
- Ethical Hacker Tools
- Hacking Tools Mac
- Pentest Tools Bluekeep
- Hacking Tools Github
- Ethical Hacker Tools
- Pentest Tools Website Vulnerability
- Hacking Tools For Pc
- Hacking Tools For Windows 7
- Nsa Hack Tools
- Pentest Tools Online
- Pentest Tools For Ubuntu
- Nsa Hack Tools Download
- Android Hack Tools Github
- Hacking Tools For Windows
- Hacker Tools For Pc
- Pentest Tools Tcp Port Scanner
- Hacker Tools Free
- How To Install Pentest Tools In Ubuntu
- Install Pentest Tools Ubuntu
- Hack Tools
- How To Hack
- Pentest Tools Online
- Underground Hacker Sites
- What Are Hacking Tools
- How To Make Hacking Tools
- What Is Hacking Tools
- Hacking Tools Windows
- Hacking Tools 2019
- Game Hacking
- Pentest Tools For Android
- Hackrf Tools
- Hacker Tools Apk Download
- Hack Tools For Mac
- Pentest Tools Windows
- Hacker Tools Windows
- Pentest Tools Online
- Pentest Automation Tools
- Hacking Tools And Software
- Bluetooth Hacking Tools Kali
- Hacking Tools Windows 10
- Pentest Tools Apk
- Hak5 Tools
- Hacker Tools Free Download
- Hacking Tools Software
- Pentest Tools For Ubuntu
- Pentest Tools For Ubuntu
- Hacking Tools Online
- Hacker Tools Apk Download
- Hacker Tools Free
- Hacker Security Tools
- Pentest Tools Online
- New Hack Tools
- Hack Website Online Tool
- Blackhat Hacker Tools
- Top Pentest Tools
- World No 1 Hacker Software
- Hacking Tools Hardware
- Best Pentesting Tools 2018
- Hacker Tools Linux
- Hack Tools Download
- Hacker Tools For Windows
- Computer Hacker
- Tools 4 Hack
- Nsa Hack Tools
- Hacker Tools List
- Hacking Tools For Beginners
- Hack Tools
- Growth Hacker Tools
- Hacking Tools Mac
- Free Pentest Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Url Fuzzer
- Pentest Tools For Android
- Hacker Tools Online
- Hacking Tools Free Download
- Hacker Tools For Windows
- Computer Hacker
- Hacking Tools Kit
- Physical Pentest Tools
- Pentest Tools Free
- Hacking App
- Hacking Tools 2019
- Hack Tools
- New Hack Tools
- Hacking Tools 2019
- Hacker Tools Apk Download
- Nsa Hack Tools Download
- Kik Hack Tools
- Hacking Tools Windows
- Hack Tools
- Hacking Tools For Kali Linux
- Hacker Tools Free Download
- Hack Tools For Mac
- New Hacker Tools
- Pentest Tools Find Subdomains
- Pentest Tools List
- Pentest Tools For Mac
- World No 1 Hacker Software
- Ethical Hacker Tools
- Pentest Tools Linux
- Hack Tools Pc
- How To Make Hacking Tools
- Tools For Hacker
- Hack Tools For Games
- Hacking Tools Software
- Pentest Tools For Mac
- Ethical Hacker Tools
- Hacking Tools Usb
- Underground Hacker Sites
- Tools 4 Hack
- Hacking Tools Download
- Pentest Tools List
- Pentest Tools For Windows
- Game Hacking
- Pentest Tools Github
- Hacker Tools Mac
- Pentest Tools Free
- Hack Tools Online
- Hacking Tools And Software
- How To Install Pentest Tools In Ubuntu
- Hacker Tools For Ios
- Tools Used For Hacking
- Hacking Tools Windows 10
- Hack App
- Pentest Recon Tools
- Pentest Tools Apk
- Pentest Tools For Android
- Growth Hacker Tools
- Hack And Tools
- Hacking Tools For Mac
- Best Hacking Tools 2020
No hay comentarios:
Publicar un comentario