Rastrea2R - Collecting & Hunting For IOCs With Gusto And Style

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!

Dependencies

• Python 2.7.x
• git
• bottle
• requests
• yara-python

Quickstart

• Clone the project to your local directory (or download the zip file of the project)

$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r

• All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.

$make help
help                           - display this makefile's help information
venv                           - create a virtual environment for development
clean                          - clean all files using .gitignore rules
scrub                          - clean all files, even untracked files
test                           - run tests
test-verbose                   - run tests [verbosely]
check-coverage                 - perform test coverage checks
check-style                    - perform pep8 check
fix-style                      - perform check with autopep8 fixes
docs                           - generate project documentation
check-docs                     - quick check docs consistency
serve-docs                     - serve project html documentation
dist                           - create a wheel distribution package
dist-test                      - test a wheel distribution package
dist-upload                    - upload a wheel distribution package

• Create a virtual environment with all dependencies

$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate

• Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder

$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/

• Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.

$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...

Rastrea2r RESTful remote Yara/Triage tool for Incident Responders

positional arguments:  {yara-disk,yara-mem,triage}

modes of operation
 yara-disk           Yara scan for file/directory objects on disk
 yara-mem            Yara scan for running processes in memory
 triage              Collect triage information from endpoint

optional arguments:
 -h, --help            show this help message and exit
 -v, --version         show program's version number and exit


Further more, the available options under each command can be viewed by executing the help option. i,e

$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule

positional arguments:
path          File or directory path to scan
server        rastrea2r REST server
rule          Yara rule on REST server

optional arguments:
-h, --help    show this help message and exit
-s, --silent  Suppresses standard output

• For ex, on a Mac or Unix system you would do:

$cd src/rastrea2r/osx/

$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar

Executing rastrea2r on Windows

• Apart from the libraries specified in requirements.txt, we need to install the following libraries
  

  • PSutil for win64: https://github.com/giampaolo/psutil
  • WMI for win32: https://pypi.python.org/pypi/WMI/
  • Requests: pip install requests

• Compiling rastrea2r

  Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
  

  • Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
  • Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki

Currently Supported functionality

• yara-disk: Yara scan for file/directory objects on disk
• yara-mem: Yara scan for running processes in memory
• memdump: Acquires a memory dump from the endpoint ** Windows only
• triage: Collects triage information from the endpoint ** Windows only

Notes
For memdump and triage modules, SMB shares must be set up in this specific way:

• Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)
  

  \path-to-share-foldertools

• Output is sent to a shared folder called DATA (write only)
  

  \path-to-share-folderdata

• For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
  
• The RESTful API server stores data received in a file called results.txt in the same directory.
  

Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project

Demo videos on Youtube

• Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
• Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
• Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y

Presentations

• rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r

  https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf

• Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016

  https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a

Credits & References

• To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
• To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542

Download Rastrea2R

Related posts

1. Hacking Tools Windows
2. Game Hacking
3. Black Hat Hacker Tools
4. Hacker Tools Free
5. Hak5 Tools
6. Hacking Tools Usb
7. Free Pentest Tools For Windows
8. Hacking Tools Online
9. Hack Tools Github
10. Hacking Tools Download
11. Best Hacking Tools 2020
12. Wifi Hacker Tools For Windows
13. Bluetooth Hacking Tools Kali
14. Hacking Tools For Mac
15. Best Hacking Tools 2020
16. How To Make Hacking Tools
17. Beginner Hacker Tools
18. Kik Hack Tools
19. Android Hack Tools Github
20. Hack Tools For Games
21. Termux Hacking Tools 2019
22. Hacker Tools Mac
23. Hack Tools For Mac
24. Pentest Box Tools Download
25. Ethical Hacker Tools
26. Hacker Tools Free
27. Pentest Tools Url Fuzzer
28. Pentest Tools Github
29. Easy Hack Tools
30. Hacker Tools Free Download
31. Hacker Security Tools
32. Pentest Tools Free
33. Hacking Tools Download
34. Nsa Hacker Tools
35. Pentest Tools For Windows
36. Best Hacking Tools 2019
37. Hacker Hardware Tools
38. Pentest Tools Find Subdomains
39. Pentest Tools Kali Linux
40. Pentest Tools Tcp Port Scanner
41. Hacks And Tools
42. Hacker Tools 2019
43. Hack Website Online Tool
44. Hacker Tools Software
45. Pentest Tools Nmap
46. Hacker Tools For Pc
47. Pentest Tools For Mac
48. Pentest Tools Kali Linux
49. Wifi Hacker Tools For Windows
50. Bluetooth Hacking Tools Kali
51. Pentest Tools Open Source
52. New Hacker Tools
53. Hack Tools Mac
54. Pentest Tools Alternative
55. Hacker Tools 2019
56. Pentest Tools Online
57. Hack Tools For Windows
58. Pentest Tools Download
59. Pentest Tools Find Subdomains
60. Hacker Security Tools
61. Physical Pentest Tools
62. Pentest Tools Kali Linux
63. Pentest Tools Url Fuzzer
64. Hacking Tools Usb
65. Hacker Tools Mac
66. Install Pentest Tools Ubuntu
67. Pentest Tools Port Scanner
68. Hack Tools 2019
69. Pentest Tools List
70. World No 1 Hacker Software
71. Pentest Recon Tools
72. Hacking Tools Windows 10
73. Hacker Tools List
74. Hacker Tools Software
75. Hack Tool Apk
76. Pentest Tools Framework
77. Hacking Tools And Software
78. Tools 4 Hack
79. Hacker Tools Mac
80. Computer Hacker
81. Best Pentesting Tools 2018
82. Nsa Hacker Tools
83. Hacking Tools Online
84. Hacking Tools Name
85. Pentest Tools Online
86. Hacking App
87. Pentest Tools Bluekeep
88. Kik Hack Tools
89. Pentest Tools Url Fuzzer
90. Pentest Tools Open Source
91. Hack Tools Github
92. Computer Hacker
93. What Are Hacking Tools
94. Hackrf Tools
95. How To Make Hacking Tools
96. Hack Tools Mac
97. Growth Hacker Tools
98. Hacking Tools Hardware
99. Hacking Tools Windows 10
100. Pentest Reporting Tools
101. Hacker Tools For Pc
102. Hacker
103. Hacking Tools 2020
104. Game Hacking
105. Tools 4 Hack
106. Pentest Tools Download
107. Pentest Tools Alternative
108. Pentest Tools Port Scanner
109. Black Hat Hacker Tools
110. Best Hacking Tools 2020
111. Hacking Tools Windows
112. Pentest Tools For Ubuntu
113. Hacking Tools 2020
114. Nsa Hack Tools
115. Hacking Tools For Windows
116. How To Install Pentest Tools In Ubuntu
117. Usb Pentest Tools
118. Hacking Tools Name
119. Hacker Tools For Pc
120. Pentest Tools Review
121. Pentest Automation Tools
122. Android Hack Tools Github
123. Pentest Recon Tools
124. Hacker Tool Kit
125. Pentest Tools Tcp Port Scanner
126. Hacker Tools Hardware
127. Install Pentest Tools Ubuntu
128. Hacking Tools Usb
129. Pentest Tools Review
130. Hacking Tools Hardware
131. Hacker Tools Windows
132. Hacking Tools 2019
133. Hacking Tools Windows 10
134. Hacker Tools 2019
135. Pentest Automation Tools
136. Github Hacking Tools
137. Hacking Tools Mac
138. Hacker Tools Hardware
139. Pentest Tools Review
140. Tools For Hacker
141. Hacker Tools Apk Download
142. Hacker Tools Apk Download
143. Hacking Tools Windows 10
144. Hacker Tools Apk
145. Hack And Tools
146. Hack Tools 2019
147. How To Install Pentest Tools In Ubuntu
148. Pentest Tools Review
149. Hack Tools Pc
150. Pentest Tools Kali Linux
151. Pentest Tools Find Subdomains
152. Hackrf Tools
153. Free Pentest Tools For Windows
154. Hacking Tools 2020
155. Hacking Tools For Windows Free Download
156. Hacks And Tools
157. Hacking Tools Mac
158. Tools 4 Hack
159. Hacking Tools For Games
160. Ethical Hacker Tools
161. Hack Tools
162. Hack Tools Mac
163. Beginner Hacker Tools