Document 183437

Or... how to build your own Windows 1st
Responder Information Acquisition Tool.
Steve Mancini
July 10 2007
SANS Portland 2007
1
Caveat
The opinions expressed in this presentation
are those of the authors (or at least the
one talking) and do not reflect the
opinions of our employer.
Any resemblance to real persons living, dead or undead is purely coincidental.
No animals were harmed in the making of this presentation or program.
Any resemblance to any place in cyberspace is entirely coincidental.
No other warranty expressed or implied.
Contents may settle during shipment.
Void where prohibited by law.
Some assembly required.
Batteries not included.
Use only as directed.
July 10 2007
SANS Portland 2007
2
About the Authors…
Joe Schwendt
8 years at Intel
Incident
Commander for IT
Emergency
Response Team
Responsible for
recent coding
engine behind
RAPIER
July 10 2007
Steve Mancini
10 years inside
Intel
Info Sec Specialist
Police Reserves
SANS Certs
GSEC
GCIH
GSNA
SANS Portland 2007
3
What’s in a Name?
RPIER vs RAPIER
Intel (R) RPIER is the name of the official
GPL release of the tool.
RAPIER is a GPL branch of the tool being
developed external to Intel.
July 10 2007
SANS Portland 2007
4
So why would you need
RAPIER?
Allow me to explain…
April 13, 2007
2007 WA HTCIA Presentation
5
4:19am (PST)
And not a creature was stirring…
July 10 2007
SANS Portland 2007
6
You are here. Sleeping.
Zzzzzz…
July 10 2007
SANS Portland 2007
7
4:20 am – It all begins
“Oooo. I wonder what getFREEporn.exe
is…?”
July 10 2007
SANS Portland 2007
8
Your NOC/SOC gets a call…
“All I did was open the attachment and…”
July 10 2007
SANS Portland 2007
9
Escalation to 2nd Lv Suport
Did you update their AV? … And?
Did you run Microsoft Updater? … And?
July 10 2007
SANS Portland 2007
10
Time to call in “The Experts”
Huh? Who is this? What time is it?
YOU HAD THEM DO WHAT?!?!?!
July 10 2007
SANS Portland 2007
11
Only the 1st drop in the flood…
If I only had root…
July 10 2007
SANS Portland 2007
12
More calls. More systems…
“All I did was..”
No single rain drop thinks itself the cause of
the flood…
July 10 2007
SANS Portland 2007
13
Expertise does not scale well…
No, you run netstat user as…
$(@#&*?+ !!!!
July 10 2007
SANS Portland 2007
14
Steve meltdown in 5… 4… 3…
http://www.Monster.com…
all jobs but information security…
July 10 2007
SANS Portland 2007
15
And your point is…?
The worst time to learn how to acquire information from
a system is during the incident.
Expertise does not scale
Common responses may trample valuable information
patch,
run AV scanners,
Run spyware scanners,
Execute automatic OS updater
Not everyone knows how to acquire the requested
information
Not everyone acquires it in the same fashion
July 10 2007
SANS Portland 2007
16
Incident Handling BKMs
Limit # of 1st Responder decisions
Automate where possible to free up
incident handler’s focus for bigger event
issues
Provide a complete lifecycle for
information gathering from start to
delivery of data
Expedite/simplify the acquisition of
information since time is of the essence
No going back. Try to gather all data that
could be requested by analysts
July 10 2007
SANS Portland 2007
17
Design Goals
Honor the Incident Handling BKM’s
Stand Alone design: rely on system files
as little as possible
Portability: Prefer R/W Media (USB)
Open Source Rulz: Where possible,
avoid software you have to pay for.
Point-Click-Drool: Bundle it all in an
easy to use interface
July 10 2007
SANS Portland 2007
18
RAPIER Features
Modular Design
Fully configurable GUI
SHA1 verification checksums
Auto-update functionality
Results can be auto-zipped
Auto-uploaded to central
repository
Email Notification when
results are received
2 Default Scan Modes –
Fast/Slow
Separated output for faster
analysis
Pre/Post run changes report
Configuration File approach
Process priority throttling
July 10 2007
SANS Portland 2007
19
Requirements (3.0)
NT based Operating System
.NET Framework 1.1+
Windows Scripting Host 5.6+
Windows Management Interface 1.5+
Results Directory must be able to
accommodate the size of physical RAM x
1.5.
July 10 2007
SANS Portland 2007
20
Under the Hood:
RAPIER Architecture
July 10 2007
SANS Portland 2007
21
RAPIER: Work Flow
Download RAPIER bundle from site
Update engine and modules (as necessary)
Select modules to be run, configure (as necessary)
Execute RAPIER
Upload sends the results to deignated location
Notify sends an email to analysts
Analyze the results (see more on this later)
July 10 2007
SANS Portland 2007
22
RAPIER Networking
It is possible to enhance RAPIER by implementing over network:
Uses the http (optionally https) protocol for all
communication
Port is configurable (non-port 80 is recommended)
Multiple servers can be setup for redundancy/load balancing
Enables the following features:
Distribution
Auto-update functionality
Auto-upload functionality
Central Results Repository
Central Documentation Resource
(Manual/Training/FAQ)
Manual RAPIER upload and non-RAPIER upload
July 10 2007
SANS Portland 2007
23
Initiate Program
Load RAPIER.Conf file
Interpret command line options
Auto Update check (Optional)
Auto Update if necessary (Optional)
Restart EXE (if updated)
Load Modules
Display GUI (Optional)
July 10 2007
SANS Portland 2007
24
Program Execution
Pre-Run MAC Checkpoint (Optional)
Run Each Selected Module
Post-Run MAC Checkpoint and Differential
Analysis (Optional)
Compress results (Optional)
Upload results (Optional)
Send Email Notification (Optional)
July 10 2007
SANS Portland 2007
25
RAPIER Modules
July 10 2007
SANS Portland 2007
26
Module Architecture
Based on VBScript
RAPIER.vbi is a large library of VBScript
functions to reference
Modules can have individual conf files to allow
for end user configuration
Modules are stand alone
Can be added/removed at will
Allows for independent development/testing
July 10 2007
SANS Portland 2007
27
Familiar Programs
Behind the module wrapper are programs most incident
handlers are familiar with:
Auditpol.exe
Md5sums.exe
Dumpsec from somarsoft
sysinternals listdlls.exe,
handle.exe
Pasco.exe / galleta.exe
Dumpel.exe
Macmatch.exe
Net *
Fport.exe
Netstat, nbtstat
July 10 2007
Promqry.exe
Reg3.exe
Secheck.exe
Winaudit from parmavex
Streams.exe
dd.Exe
Pmdump.exe
Hfind.exe
Stegdetect.exe
MBSA
SANS Portland 2007
28
Feature Module Output
Volatile Information
complete list of running processes
locations of those processes on disk
ports those processes are using
Checksums for all running processes
Dump memory for all running processes
All DLLS currently loaded and their
checksum
Capture last Modify/Access/Create times
for designated areas
All files that are currently open
Net (start/share/user/file/session)
Output from nbtstat and netstat
Document all open shares/exports on
system
Capture current routing tables
list of all network connections
Layer3 traffic samples
capture logged in users
July 10 2007
Static Information
System Name
Basic system info (peripherals, BIOS,
drivers, etc)
System Startup Commands
MAC address
List of installed services
Local account and policy information
Current patches installed on system
Current AV versions
Files with alternate data streams
Discover files marked as hidden
List of all installed software on system
(known to registry)
Capture system logs
Capture of AV logs
Copies of application caches (temporary
internet files) – IE, FF, Opera
Export entire registry
Search/retrieve files based on search
criteria.
SANS Portland 2007
29
System Configuration
Volatile Information
complete list of running processes
locations of those processes on disk
ports those processes are using
Checksums for all running processes
Dump memory for all running processes
All DLLS currently loaded and their
checksum
Capture last Modify/Access/Create times
for designated areas
All files that are currently open
Net (start/share/user/file/session)
Output from nbtstat and netstat
Document all open shares/exports on
system
Capture current routing tables
list of all network connections
Layer3 traffic samples
capture logged in users
July 10 2007
Static Information
System Name
Basic system info (peripherals,
BIOS, drivers, etc)
System Startup Commands
MAC address
List of installed services
Local account and policy
information
Current patches installed on system
Current AV versions
Files with alternate data streams
Discover files marked as hidden
List of all installed software on system
(known to registry)
Capture system logs
Capture of AV logs
Copies of application caches (temporary
internet files)
Export entire registry
Search/retrieve files based on search
criteria.
SANS Portland 2007
30
Processes
Volatile Information
complete list of running processes
locations of those processes on disk
ports those processes are using
Checksums for all running
processes
Dump all running processes
All DLLS currently loaded and their
checksum
Capture last Modify/Access/Create times
for designated areas
All files that are currently open
Net (start/share/user/file/session)
Output from nbtstat and netstat
Document all open shares/exports on
system
Capture current routing tables
list of all network connections
Layer3 traffic samples
capture logged in users
July 10 2007
Static Information
System Name
Basic system info (peripherals, BIOS,
drivers, etc)
System Startup Commands
MAC address
List of installed services
Local account and policy information
Current patches installed on system
Current AV versions
Files with alternate data streams
Discover files marked as hidden
List of all installed software on system
(known to registry)
Capture system logs
Capture of AV logs
Copies of application caches (temporary
internet files)
Export entire registry
Search/retrieve files based on search
criteria.
SANS Portland 2007
31
Networking
Volatile Information
complete list of running processes
locations of those processes on disk
ports those processes are using
Checksums for all running processes
Dump memory for all running processes
All DLLS currently loaded and their
checksum
Capture last Modify/Access/Create times
for designated areas
All files that are currently open
Net (start/share/user/file/session)
Output from nbtstat and netstat
Document all open shares/exports
on system
Capture current routing tables
list of all network connections
Layer3 traffic samples
capture logged in users
July 10 2007
Static Information
System Name
Basic system info (peripherals, BIOS,
drivers, etc)
System Startup Commands
MAC address
List of installed services
Local account and policy information
Current patches installed on system
Current AV versions
Files with alternate data streams
Discover files marked as hidden
List of all installed software on system
(known to registry)
Capture system logs
Capture of AV logs
Copies of application caches (temporary
internet files)
Export entire registry
Search/retrieve files based on search
criteria.
SANS Portland 2007
32
Logs & Cache Information
Volatile Information
complete list of running processes
locations of those processes on disk
ports those processes are using
Checksums for all running processes
Dump memory for all running processes
All DLLS currently loaded and their
checksum
Capture last Modify/Access/Create times
for designated areas
All files that are currently open
Net (start/share/user/file/session)
Output from nbtstat and netstat
Document all open shares/exports on
system
Capture current routing tables
list of all network connections
Layer3 traffic samples
capture logged in users
July 10 2007
Static Information
System Name
Basic system info (peripherals, BIOS,
drivers, etc)
System Startup Commands
MAC address
List of installed services
Local account and policy information
Current patches installed on system
Current AV versions
Files with alternate data streams
Discover files marked as hidden
List of all installed software on system
(known to registry)
Capture system logs
Capture of AV logs
Copies of IE, FF, Opera caches
(temporary internet files)
Export entire registry
Search/retrieve files based on search
criteria.
SANS Portland 2007
33
Files
Volatile Information
complete list of running processes
locations of those processes on disk
ports those processes are using
Checksums for all running processes
Dump memory for all running processes
All DLLS currently loaded and their
checksum
Capture last Modify/Access/Create
times for designated areas
All files that are currently open
Net (start/share/user/file/session)
Output from nbtstat and netstat
Document all open shares/exports on
system
Capture current routing tables
list of all network connections
Layer3 traffic samples
capture logged in users
July 10 2007
Static Information
System Name
Basic system info (peripherals, BIOS,
drivers, etc)
System Startup Commands
MAC address
List of installed services
Local account and policy information
Current patches installed on system
Current AV versions
Files with alternate data streams
Discover files marked as hidden
List of all installed software on system
(known to registry)
Capture system logs
Capture of AV logs
Copies of application caches (temporary
internet files)
Export entire registry
Search/retrieve files based on
search criteria.
SANS Portland 2007
34
Output
Format: ASCII text
Each module produces own output
Easier to disperse/manage results
Default path uses date & time
Good for “Before & After” executions
July 10 2007
SANS Portland 2007
35
Output Sample: AuditPol
==========================================================
LogFile Located at G:\RAPIER\3.1A2\Results\***\2007-04-12\22-47\AuditPolicy.log
RAPIER Library Version=2005.06.06.01
System Name=PXPL4626
Build Info=Intel Corporation Intel Corporation User
Processor(s) Quantity and Name=2xGenuine Intel(R) CPU
T2400 @ 1.83GHz
Module Name=AuditPolicy
Description=Windows Audit Policy status
Execute Time=Thur 2007/04/12 22:58:08
Running ...
(X) Audit Enabled
System
= Success and Failure
Logon
= Success and Failure
Object Access
= No
Privilege Use
= No
Process Tracking
= No
Policy Change
= Success and Failure
Account Management
= Success and Failure
Directory Service Access = No
Account Logon
= Success and Failure
Execute Duration (in seconds)=2
July 10 2007
SANS Portland 2007
36
Output Sample: RAPIER LOG
2007-04-12
2007-04-12
47
2007-04-12
2007-04-12
2007-04-12
2007-04-12
2007-04-12
22:47:25: RAPIER 3.2.2652.36045 started
22:47:25: Results Directory: G:\Results\****\2007-04-12\2222:47:26: Importing Modules
22:47:27:
Added AuditPolicy to the Module List
22:47:27:
Added Checksums to the Module List
22:47:27:
Added CmdLines to the Module List
22:47:27:
Added Drivers to the Module List
….
2007-04-12
2007-04-12
2007-04-12
2007-04-12
July 10 2007
22:58:06:
22:58:09:
22:58:09:
23:00:06:
Running AuditPolicy
Module AuditPolicy took 2 seconds to execute
Running Checksums
Module Checksums took 116 seconds to execute
SANS Portland 2007
37
Interpreting the Results
To teach you this would require
several months (years?) of
training and education in
operating systems internals,
hacking techniques, malware
behavior, etc.
Ultimately, the results must be
reviewed by people with
sufficient knowledge of your
environment to be able to
discern the odd from the routine.
July 10 2007
SANS Portland 2007
38
Over the Horizon
RAPIER 3.2 Alpha 2
Remote Execution
Dynamic Binary Renaming
Identify Initiator
VISTA support
Full x64 support
New Modules (Opera,
FireFox, Rootkits)
SignaCert Module
New License: LGPL
July 10 2007
SANS Portland 2007
39
Latest Modules
Implemented
Drivers
FFCookies
FFCache
FFHistory
July 10 2007
In
Development
HeliosLite
IceSword
OperaCookies
OperaHistory
OperaCache
SANS Portland 2007
40
Tool Release
http://code.google.com/p/rapier/source
Build Notes:
Certain modules rely upon licensed
software, or on tools we could not get
permission to bundle with a LGPL license.
We’ve made it as easy as possible – acquire
these on your own and drop into Module
folders to get them working.
July 10 2007
SANS Portland 2007
41
Gratitude
Lawrence Baldwin (SecCheck*)
Jem Berkes (md5sums*)
Frank Heynes (LADS* tool)
Nir Sofer (cprocess* )
Arne Vidstrom (macmatch*, pmdump*)
Kevin Stanush (dumpsec*)
Parmavex Software (winaudit*)
And special thanks to Jesse Kornblum for FRED* as
a source of inspiration.
July 10 2007
SANS Portland 2007
42
Contributions & Feedback
Have an idea for module?
Have code ready to drop into a module
we don’t already have?
Have ideas how to improve it?
Contact us:
[email protected]
July 10 2007
SANS Portland 2007
43
Questions?
Thank You…
Thanks to SANS and Mike
Poor for pimping my tool.
July 10 2007
SANS Portland 2007
44