Compromise Assessment / Triage Analysis Tools :
Two best tools to do the triage analysis , once the system is suspect for compromise.
Redline - FireEye
CrowdResponse - CrowdStrike
Redline:
FireEye's premier free endpoint security tool, provides
host investigative capabilities to users to find signs of malicious
activity through memory and file analysis and the development of a
threat assessment profile.
- Thoroughly audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
- Analyze and view imported audit data, including the ability to filter results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
- Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
- Perform Indicators of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
- Supported Operating Systems: Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit), Windows 10
- File Size: 76 MB
- Integrity Hashes:
- MD5: 2edb1d0e023f286ea5015cdf1382d642
- SHA-1: e38fe8cc81dc5491d38b61db0fff165cdd3ed35d
https://www.fireeye.com/content/dam/fireeye-www/services/freeware/sdl-redline.zip
CrowdResponse:
Static Host Data Collection Tool.
There is no installer for this tool. Simply unzip the contents of the downloaded ZIP file into a location of your choosing and launch it directly from there. Similarly for uninstalling; simply delete the file(s) you extracted by moving them to the Recycle Bin or permanently deleting them. It is possible there may be a very small number of elements that remain in the Registry.
There can be safely ignored or manually deleted by using a registry editing tool (e.g. regedit) and navigating to
HKEY_LOCAL_MACHINE\Software\\CrowdStrike
or HKEY_CURRENT_USER\Software\CrowdStrike
and noting the name of the tool there and removing the branch.Hashes:
- MD5 c94edf14e5e1b205813b949b7904b95e
- SHA1 bf48a7c0e32fd8f67b11eebb69f836a60de2f9e1
- SHA256 3b5f07d83af34f16f79f8cc1f77d6a0827d7dee57a4be8f667767ce325ac5d00
Download Link :
https://www.crowdstrike.com/wp-content/community-tools/CrowdResponse.zip