a bit of an older read, but still good: There’s Something About WMI
And finally the whitepaper that got me on this little reading excursion today: Beyond Malware
Category Archives: DFIR
All DFIR related posts
DFIR 014 – Continuous IR
Nice little post here on continuous IR, and how it can feed into the program as a whole.
Making Incident Response a Security Program Enabler
The approach an organization can take to take incident response from a reactive process to proactive one involves the following steps:
– Improving an organization’s incident response capabilities
– Improving an organization’s root cause analysis capabilities
– Improving an organization’s security monitoring capabilities
– Influencing others to see incident response as a continuous process
– Operationalizing incident response information
– Collecting and documenting data for the organization’s incident response metrics
– Analyzing the organization’s incident response metrics to produce intelligence
– Presenting the intelligence to appropriate stakeholders
DFIR 013 – Adding Malformity to SIFT
This is a quick post on how I added Malformity to my SIFT workstation. This process is super complex, so you have to make sure you are really paying attention…… ;-)
First get Malformity….
git clone https://github.com/digital4rensics/Malformity.git
Change into the new Malformity folder, and run the following
sudo python setup.py install
OK, once that is done, you need to run the following
canari create-profile Malformity
Finally, open up Maltego, and click on the main icon in the upper left hand corner. Choose import, then import configuration, and just follow the prompts then.
Enjoy!
DFIR 012 – Clam AV rules to Yara
This post was inspired while I was playing around with the new SIFT workstation, and I needed to get my tools and scripts on the VM. A couple of team members saw what I was doing, and did not know this was possible so I figured I would write up a quick post on how to convert your Clam AV database to a set of Yara rules that you can use during your investigations.
You can get the Python script here
# for Clam AV # should be installed, but this is to verify sudo apt-get install clamav clamav-freshclam sudo freshclam # for Yara sudo apt-get install libpcre3 libpcre3-dev sudo apt-get install yara sigtool –u /var/lib/clamav/main.cvd python clamav_to_yara.py -f main.ndb -o clamav.yara
There is one rule I had to manually clean up though…….
vim +199819 clamav.yara
Once that is done, you can use this file anywhere you would use your yara rule.
Pretty cool!
DFIR 011 – no reverse attachment IR
An interesting article from OpenDNS.