Free Toolkit For Incident Response - Crowd Response

CrowdResponse:
                     is a community-based platform that may eventually support as many as 25 software modules, each serving a different aspect of the incident response process, Kurtz says. This week's release includes three modules: @dirtlist, @pslist, and @yara.

@dirlist

This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:

• Verify and display digital signature information
• Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
• Use a file wildcard mask to limit processing to specific file name components
• SHA256 and MD5 file hashing
• Perform "quick" hash of only the first 512 bytes of the file
• Option to not hash files greater than a given size
• Display application resource information
• Select recursive listings and control recursion depth
• Display creation, modification and access times for files
• Optionally process only Windows executable (PE) files

@pslist

This is the active running process listing module.
The CrowdResponse PSList module enables the following features:

• Verify the digital signature of the process executable
• Obtain process command line
• Obtain detailed PE file information for each process executable
• Perform SHA256 and MD5 hashes of process executables
• Enumerate loaded modules for each process
• Control PE output detail level of function names for imports and exports
• Control PE output detail level of resource information
• Control format (nested or flat) for PE file resource information
• Check for process thread injection

@yara

The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:

• Scan memory of all currently active running processes
• Scan on-disk files of all currently active running processes
• Download YARA rule files from a provided URL
• Control target path recursion depth
• Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
• Use a file target wildcard mask to limit processing to specific file name components
• Option to only show positive hits
• Option to specify YARA rule file name mask
• Utilize a YARA file inclusion regular expression filter that acts on the full path name
• Scan all loaded module files of active processes
• Operate on a single process ID
• Optional recursion into provided YARA rules directory

Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application. Modules are all built into the main application in C++ language utilizing the Win32 API to achieve their functionality.
Crowd Response results may be viewed in a variety of ways, particularly when leveraging CrowdStrike’s CRconvert. By default, output from Crowd Response is provided in an XML file. CRconvert will flatten this XML to CSV, TSV or HTML, if desired. The various format options were created to support the different needs and analysis preferences of the end user.
Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above.


Download Link : Click Here

• MD5 87b58fb3da849cedff3a107bfe600e9b
  
• SHA1 08e5bed8e7ba7316e6ff23610561b14057a58d4c
  
• SHA256 c5ab1006f47bba30fe23bccf9eebedf824efa3bc6212989c748aa147221b5103
   

SpiderFoot 2.1.0 - Open Source Footprinting Tool

SpiderFoot:

                    simple web-based interface enables you to kick off a scan immediately after install - just give your scan a name, the domain name of your target and select which modules to enable.

                    You will quickly obtain information such as: URLs handling passwords, network ranges (netblocks), web servers, open ports, information about SSL certificates, and much more.

                       "Footprinting" is the process of understanding as much as possible about a given target in order to perform a more complete security penetration test. Particularly for large networks, this can be a daunting task.

                         The main objective of SpiderFoot is to automate this process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.

                        SpiderFoot is designed from the ground-up to be modular. This means you can easily add your own modules that consume data from other modules to perform whatever task you desire.

                         As a simple example, you could create a module that automatically attempts to brute-force usernames and passwords any time a password-handling webpage is identified by the spidering module.

 

SpiderFoot 2.1.0 is now available, a major update over 2.0.5 which was released back in September.

Major improvements are as follows:

- Identifies sites co-hosted on IPs of your target.
- Checks whether your target, affiliates or co-hosts have a bad reputation (PhishTank, Google
SafeBrowsing, McAfee SiteAdvisor, abuse.ch and many more.)
- Identifies the ISPs and BGP AS of your target.
- Smarter at identifying owned netblocks.
- UI enhancements, including some data visualizations.
- More comprehensive searches across other Internet TLDs.
- Identifies the use of non-standard HTTP headers.
- Bing searches.
- Many tweaks, improvements and bug fixes.

Website & Download: http://www.spiderfoot.net
GitHub: https://github.com/smicallef/spiderfoot/tree/2.1
 Source Forge : http://sourceforge.net/projects/spiderfoot/

Arachni v0.4.6-0.4.3 (Open Source Web Application Security Scanner Framework)

Arachni v0.4.6-0.4.3 has been released :

                     (Open Source Web Application Security Scanner Framework)

                      There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.

Brief list of changes:

Framework
----------
* Massively decreased RAM consumption.
* Amount of performed requests cut down by 1/3 -- and thus 1/3 decrease in scan times.
* Overhauled timing attack and boolean/differential analysis algorithms to fix
  SQLi false-positives with misbehaving webapps/servers.
* Vulnerability coverage optimizations with 100% scores on WAVSEP's tests for:
  * SQL injection
  * Local File Inclusion
  * Remote File Inclusion
  * Non-DOM XSS -- DOM XSS not supported until Arachni v0.5.

WebUI
-----
* Implemented Scan Scheduler with support for recurring scans.
* Redesigned Issue table during the Scan progress screen, to group
  and filter issues by type and severity. 

Issues table

The issues table has been massively redesigned to provide more context at a glance and help you prioritize and focus on the issues that interest you most.

While the scan is running and new issues appear, High and Medium severity type groups will, by default, be displayed as expanded, to show each logged issue, while Low and Informational severity ones will be displayed as collapsed. This way your attention will be drawn to where it’s most needed.
Of course, you can change the visibility settings to suit your preferences, using the controls on the left of the table, as well as reset them to their default configuration.

Scan scheduling

The major change for the web interface is the addition of the much awaited Scheduler, which combined with the existing incremental/revisioned scans provides quite a powerful feature. In essence, it allows you to schedule a scan to run at a later time and optionally configure it to be a recurring one.

                                            What’s interesting here is the recurring bit, each scan occurrence is not a separate entity but a revision of the previous scan, this way you’ll be able to track changes in your website’s security with ease. It also allows you to speed things up by providing you with the ability to feed the sitemaps of previous revisions to the next one (either to extend or restrict the scope), thus making the crawl process much faster (or skipping it altogether).

 For more details about the new release please visit:
    http://www.arachni-scanner.com/blog/arachni-0-4-6-0-4-3-release/

Download page:               http://www.arachni-scanner.com/download/

Homepage                      - http://www.arachni-scanner.com
Blog                                 - http://www.arachni-scanner.com/blog
Documentation               - https://github.com/Arachni/arachni/wiki
Support                           - http://support.arachni-scanner.com
GitHub page                   - http://github.com/Arachni/arachni
Code Documentation     - http://rubydoc.info/github/Arachni/arachni
Copyright                        - 2010-2014
License                             - Apache License v2

Hook Analyser 3.0 Released with Cyber Threat Intelligence Features

Hook Analyser : ( Released V3.0)

                          a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -

1. Threat Vectors - by (%) Country
2. Threat Vectors - by Geography 
3. Vulnerability / Threat Feed.

Project documentation - Click Here

Here is the screenshot of the Cyber Threat Intelligence dashboard -

To download the project - Click Here 

 

Malware Forensics Tools

Windows Prefetch Files:

WinPrefetchView :

                            is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.

                               WinPrefetchView doesn't require any installation process or additional DLL files. In order to start using it, simply run the executable file - WinPrefetchView.exe

                                 The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.


                                 These is also special Prefetch file, with 'NTOSBOOT-B00DFAAD.pf' filename, which can show you the list of files that are loaded during Windows boot process.



                                 WinPrefetchView also allows you to delete the selected Prefetch files. However, be aware that even when your delete a Prefetch file, it'll be created again by the operating system when you run the same program again.

 Download Link : http://www.nirsoft.net/utils/winprefetchview.zip

 Windows Registry Hives:

 RegRipper:

                    is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

                     RegRipper consists of two basic tools, both of which provide similar capability. The RegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it's activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

 RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it's activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.


Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

Download Link : http://code.google.com/p/regripper/downloads/list

Auto_rip:

                 auto_rip is a wrapper script for RegRipper. The script automates 

the execution of the RegRipper plug-ins according to the categories below:

all              gets information from all categories
os               gets General Operating System Information
users            gets User Account Information
software         gets Installed Software Information
network          gets Networking Configuration Information
storage          gets Storage Information
execution        gets Program Execution Information
autoruns         gets Autostart Locations Information
log              gets Logging Information
web              gets Web Browsing Information
user_config      gets User Account Configuration Information
user_act         gets User Account General Activity
user_network     gets User Account Network Activity
user_file        gets User Account File/Folder Access Activity
user_virtual     gets User Account Virtualization Access Activity
comm             gets Communication Software Information

SHA1 Checksum: 
 
 55828924ce01190b5e4c292c3fb979b3b5b12c88

Download Link : http://regripper.googlecode.com/files/auto_rip-5-16-2013.zip 

NTFS Artifacts

AnalyzeMFT

                     analyzeMFT.py is designed to fully parse the MFT file from an NTFS

filesystem and present the results as accurately as possible in multiple formats.

Documentation : http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf 

Download Link : https://github.com/dkovar/analyzeMFT

Windows Journal Parser (jp) :

                                                  jp is a command line tool that targets NTFS change log journals. The change journal is a component of NTFS that will, when enabled, record changes made to files. The change journal is located in the $UsnJrnl MFT entry, and the journal entries are located in the alternate data stream $J. Each entry is of variable size and its internal structure is documented in the MSDN.

                                                   The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type - delete, rename, size extend, etc, and therefore makes a useful tool when looking at a computer forensically.

Downloads 32-bit Version 64-bit Version Windows: jp32.v.1.07.win.zip jp64.v.1.07.win.zip Linux: jp32.v.1.07.lin.tar.gz jp64.v.1.07.lin.tar.gz Mac OS X: jp.v.1.07.osx.tar.gz jp.v.1.07.osx.tar.gz

Droid Fusion By OWASP - Mobile Security Linux Distribution

Droid Fusion :

                is a platform for android mobile or any other mobile for doing Malware Analysis, Development, Application Pentesting,forensics. You can use it in any mobile security research, and if you have Droid Fusion, you don't need to worry about finding tools. There are more then 60 tools and scripts and it is free.

Authentication

---

Username: Droid
Password: fusion

Checksum

---

MD5 : 5f492cef31264d0b32b0cf8fd618551
SHA1 :1fb10a66d6e87f9e1aef9143259b7d37dfd9df4

Road Map :

Screenshot :

Download OWSAP Droidfusion :   Download 

Cryptolocker Ransomware Malwarwe - Tools to Detect & Prevent

CryptoLocker :

                          is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

                         Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.Below is an image from Microsoft depicting the process of asymmetric encryption

                 

                 The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server. Currently, infected users are instructed to pay $300 USD to receive this private key. Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever. 

                   Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

                  In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files.

Is it possible to decrypt files encrypted by CryptoLocker?


                                             Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful.

How to remove Cryptolocker -Malwarebytes

CryptoPrevent Tool :

                                FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed below to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoLocker and Zbot from being executed in the first place..

 

CryptoPrevent

You can download CryptoPrevent from the following page:

http://www.foolishit.com/download/cryptoprevent/

For more information on how to use the tool, please see this page:

http://www.foolishit.com/vb6-projects/cryptoprevent/

Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications.

 

Stop Sign Internet Security :

                                       Suite provides a powerful on-access scanner component designed to monitor the system in real time. Keeping the operating system and associated software properly updated can also be crucial in maintaining a malware-free environment. 

                                      Although removal of Cryptolocker is included with a Stop Sign subscription, concern the user may not have a backup of their documents has prompted the Stop-Sign Research and Development Team to decide to not incorporate an automated removal of Cryptolocker into the scanner.

 

Download Link :

 http://downloads.stopsign.com/stop-sign_install.exe

 

Malwarebytes' :

                        Anti-Malware can detect and remove this ramsomware malware. Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.

 

Download Link :

http://www.malwarebytes.org/mbam-download.php

 

Anti-CryptoBlocker :

                              by Bit Defender an Encryption blocking tool that can detect and block malware from the installation .

Intrusion prevention Systems can block the communication protocol send from the Cryptolocker infected ssytem to the remote command-and-Control server , where the malware retrieves the key to encrypt the files.

 

Download Link :

http://download.bitdefender.com/removal_tools/BDAntiCryptoLocker_Release.exe

 

CryptoGuard :

                     is a universal solution against crypto ransomware. This type of ransomware encrypts your personal files and demands a ransom fee to be paid in order to regain access to your files.

                       
                              HitmanPro's CryptoGuard monitors your file system for suspicious operations. When suspicious behavior is detected, the malicious code is neutralized and your files remain safe from harm. CryptoGuard works silently in the background at the file system level, keeping track of processes modifying your personal files. CryptoGuard works autonomously, so no user interaction is required.

Download Link :

http://www.surfright.nl/en/cryptoguard

Thanks,

RRN Technologies Team