Thursday, March 13, 2014

Free Toolkit For Incident Response - Crowd Response

                     is a community-based platform that may eventually support as many as 25 software modules, each serving a different aspect of the incident response process, Kurtz says. This week's release includes three modules: @dirtlist, @pslist, and @yara.


This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:
  • Verify and display digital signature information
  • Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file wildcard mask to limit processing to specific file name components
  • SHA256 and MD5 file hashing
  • Perform "quick" hash of only the first 512 bytes of the file
  • Option to not hash files greater than a given size
  • Display application resource information
  • Select recursive listings and control recursion depth
  • Display creation, modification and access times for files
  • Optionally process only Windows executable (PE) files


This is the active running process listing module.
The CrowdResponse PSList module enables the following features:
  • Verify the digital signature of the process executable
  • Obtain process command line
  • Obtain detailed PE file information for each process executable
  • Perform SHA256 and MD5 hashes of process executables
  • Enumerate loaded modules for each process
  • Control PE output detail level of function names for imports and exports
  • Control PE output detail level of resource information
  • Control format (nested or flat) for PE file resource information
  • Check for process thread injection


The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:
  • Scan memory of all currently active running processes
  • Scan on-disk files of all currently active running processes
  • Download YARA rule files from a provided URL
  • Control target path recursion depth
  • Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file target wildcard mask to limit processing to specific file name components
  • Option to only show positive hits
  • Option to specify YARA rule file name mask
  • Utilize a YARA file inclusion regular expression filter that acts on the full path name
  • Scan all loaded module files of active processes
  • Operate on a single process ID
  • Optional recursion into provided YARA rules directory

Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application. Modules are all built into the main application in C++ language utilizing the Win32 API to achieve their functionality.
Crowd Response results may be viewed in a variety of ways, particularly when leveraging CrowdStrike’s CRconvert. By default, output from Crowd Response is provided in an XML file. CRconvert will flatten this XML to CSV, TSV or HTML, if desired. The various format options were created to support the different needs and analysis preferences of the end user.
Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above.

Download Link : Click Here
  • MD5 87b58fb3da849cedff3a107bfe600e9b
  • SHA1 08e5bed8e7ba7316e6ff23610561b14057a58d4c
  • SHA256 c5ab1006f47bba30fe23bccf9eebedf824efa3bc6212989c748aa147221b5103

1 comment:

  1. I found this blog very helpful. Incident response process is a collection of procedures aimed at identifying, investigating and responding to potential security incidents.


Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.

The following list contains free and open source Web Conferencing tools that are n't in particular order.

Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?

I support Free eLearning

BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.

*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.

OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.

OpenMeetings Key Features Mini Demo

Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.

Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees

Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.

With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.

Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.

*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.

Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free