Thursday, August 27, 2020

Rastrea2R - Collecting & Hunting For IOCs With Gusto And Style



Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!


Dependencies
  • Python 2.7.x
  • git
  • bottle
  • requests
  • yara-python

Quickstart
  • Clone the project to your local directory (or download the zip file of the project)
$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r
  • All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.
$make help
help - display this makefile's help information
venv - create a virtual environment for development
clean - clean all files using .gitignore rules
scrub - clean all files, even untracked files
test - run tests
test-verbose - run tests [verbosely]
check-coverage - perform test coverage checks
check-style - perform pep8 check
fix-style - perform check with autopep8 fixes
docs - generate project documentation
check-docs - quick check docs consistency
serve-docs - serve project html documentation
dist - create a wheel distribution package
dist-test - test a wheel distribution package
dist-upload - upload a wheel distribution package
  • Create a virtual environment with all dependencies
$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate
  • Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder
$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/
  • Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.
$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...

Rastrea2r RESTful remote Yara/Triage tool for Incident Responders

positional arguments: {yara-disk,yara-mem,triage}

modes of operation
yara-disk Yara scan for file/directory objects on disk
yara-mem Yara scan for running processes in memory
triage Collect triage information from endpoint

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit


Further more, the available options under each command can be viewed by executing the help option. i,e

$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule

positional arguments:
path File or directory path to scan
server rastrea2r REST server
rule Yara rule on REST server

optional arguments:
-h, --help show this help message and exit
-s, --silent Suppresses standard output
  • For ex, on a Mac or Unix system you would do:
$cd src/rastrea2r/osx/

$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar

Executing rastrea2r on Windows

Currently Supported functionality
  • yara-disk: Yara scan for file/directory objects on disk
  • yara-mem: Yara scan for running processes in memory
  • memdump: Acquires a memory dump from the endpoint ** Windows only
  • triage: Collects triage information from the endpoint ** Windows only

Notes
For memdump and triage modules, SMB shares must be set up in this specific way:
  • Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
    \path-to-share-foldertools
  • Output is sent to a shared folder called DATA (write only)
    \path-to-share-folderdata
  • For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
  • The RESTful API server stores data received in a file called results.txt in the same directory.

Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project

Demo videos on Youtube

Presentations

Credits & References



Related articles


  1. Hack Tools For Windows
  2. Hacker Tools Online
  3. Pentest Tools Website Vulnerability
  4. Hacking Tools 2020
  5. Hack Tools For Pc
  6. Black Hat Hacker Tools
  7. Computer Hacker
  8. Hacker Search Tools
  9. New Hack Tools
  10. Hacker
  11. Pentest Tools Framework
  12. Hackers Toolbox
  13. Pentest Tools For Ubuntu
  14. Hack Tool Apk No Root
  15. Hacks And Tools
  16. Hacker Tools Free
  17. Hacking Tools For Beginners
  18. Easy Hack Tools
  19. Hacker Tools For Pc
  20. Hacking Tools For Beginners
  21. Pentest Tools Kali Linux
  22. Hack Tool Apk
  23. Nsa Hacker Tools
  24. Android Hack Tools Github
  25. Top Pentest Tools
  26. Hacking Tools 2019
  27. Pentest Tools Website Vulnerability
  28. Hacker Tools 2020
  29. Hacker Tools Free Download
  30. Hackers Toolbox
  31. Hack Rom Tools
  32. Pentest Tools Free
  33. How To Hack
  34. Pentest Tools Free
  35. Best Hacking Tools 2019
  36. Pentest Recon Tools
  37. Hack Tools
  38. Hacker Tools Online
  39. Hacking Tools Hardware
  40. Underground Hacker Sites
  41. Pentest Tools Bluekeep
  42. Pentest Tools Find Subdomains
  43. Black Hat Hacker Tools
  44. Tools Used For Hacking
  45. Pentest Tools
  46. Hack Tools Online
  47. Hack Apps
  48. Hack Tools
  49. Hack Tools For Ubuntu
  50. What Are Hacking Tools
  51. Growth Hacker Tools
  52. Hack Tools
  53. Hacking Tools
  54. Hacking Tools Online
  55. How To Install Pentest Tools In Ubuntu
  56. Hack Tools For Games
  57. Hacking App
  58. Hack Rom Tools
  59. Pentest Tools For Mac
  60. Hacking Tools For Windows Free Download
  61. Hacking Tools Mac
  62. Hackers Toolbox
  63. Pentest Tools Website
  64. How To Hack
  65. Hacker Tools Linux
  66. Best Hacking Tools 2019
  67. Easy Hack Tools
  68. Hacking Tools And Software
  69. Hacking Tools For Beginners
  70. Hacker Tools
  71. Hacker Tools Apk
  72. Hacking Tools Download
  73. Pentest Tools Alternative
  74. Ethical Hacker Tools
  75. Kik Hack Tools
  76. Hacker
  77. Pentest Tools Alternative
  78. Pentest Tools Tcp Port Scanner
  79. Hacker Tools Apk
  80. Hack And Tools
  81. Hacker Tools For Windows
  82. Hacking Tools Hardware
  83. Hacker Tools Free Download
  84. Hacker Tools For Pc
  85. Pentest Box Tools Download
  86. Hacker
  87. Hack And Tools
  88. Hacker
  89. Hacking Tools For Windows 7
  90. Hacker Tools Windows
  91. Nsa Hack Tools
  92. Hack Tools
  93. New Hacker Tools
  94. Hack Tool Apk
  95. What Are Hacking Tools
  96. Hacking Tools Hardware
  97. Hacking Tools Download
  98. Hacking Tools For Windows 7
  99. Pentest Tools Find Subdomains
  100. Pentest Tools Nmap
  101. Install Pentest Tools Ubuntu
  102. Pentest Tools Download
  103. Hacker Tools Hardware
  104. Pentest Tools
  105. Hack Tools For Mac
  106. Hacker Search Tools
  107. Hacking Tools 2019
  108. Pentest Tools Find Subdomains
  109. Nsa Hack Tools
  110. How To Make Hacking Tools
  111. Hacking Tools Windows 10
  112. Github Hacking Tools
  113. Hacking Tools For Kali Linux
  114. Hacking Tools For Windows
  115. Pentest Tools Port Scanner
  116. Pentest Tools Website
  117. Hack Tools For Ubuntu
  118. Hacking Tools Pc

No comments: