Rapid-Response DFIR Tooling

Tools for Speed and Agility

Mike Pilkington ([email protected])

Kevin Ripa ([email protected])
Carlos Cajigas ([email protected])

1
FOR500 WINDOWS FORENSIC ANALYSIS
Single-System Forensics & Incident Response

Incident Responder Subject System

3
Enterprise Incident Response & Threat Hunting

Incident Responder

Enterprise Network
4
What Content to Triage Image?
Artifact • Course Covered
Registry Hives and Backups • FOR500

LNK Files • FOR500

Jump Lists • FOR500

Prefetch • FOR500

Event Logs and PnP Logs • FOR500

Browser Data (IE, Firefox, Chrome) • FOR500

Recycle Bin • FOR500

Master File Table • FOR500/508

NTFS Log Files and Journal Log • FOR508

Pagefile and Hibernation Files • FOR508

5
Rapid-Response Tooling Solutions

Supported
Primary Use Deployment Primary Primary
Solution Operating
Case Strategy Advantage Disadvantage
Systems

Triage imaging &

Manual - Designed for Powerful yet Limited remote
KAPE Windows artifact post-
standalone use cases simple to use imaging options
processing

Uses PowerShell
Not designed for
Incident response Enable PowerShell Remoting for
Kansa Windows forensic
& threat hunting Remoting via GPO efficiency and
acquisition
credential safety

New project with

Triage imaging, Use software Extremely
Windows, Mac, & few large-scale
Velociraptor incident response, management tools or flexible with
Linux deployments so
& threat hunting GPO to deploy agents multi-OS support
far

6
 KAPE
Tools for Speed and Agility

7
Introducing KAPE – Triage and Rapid Analysis Capability
Search Collect Process
for files & folders using target ` Collected files based on
configurations
responsive files & folders Module Configurations

• Can Search the Following • Forensically sound • Extract actionable intelligence

• Mounted E01 • Detailed copy log • Facilitate artifact correlation/pivoting
• Live System Drive(s) • Optional VHD(x) or Zip container • Consistent and Repeatable Output
• Specific Path(s) • SFTP transfer for Analysis
• F-Response
• Optional VSCs

KAPE (Kroll Artifact Parser and Extractor) written by Eric Zimmerman

8
What Makes KAPE Different?

Speed • Measurably Faster than Other Tools

GUI & Command Line • GUI Front and configurable command line
Collect Locked Files • Can collect registry and other locked files
Configurable & Scriptable • Predefined or Roll your own | 1 or Many Machines
Volume Shadow Copy • VSS can be processed as part of the targets collected

Batch Mode • Automatically start collections with predefined targets

Several Output Options • Zipped, VHDX, UNC, AWS S3, Azure

Process Data • Process data collected with CLI tools

9
KAPE Targets & Modules

• KAPE divides its functionality into two parts:

• Targets
• Modules
• Targets collect files/folders
• Modules process files/folders
• Can also run programs to collect memory or other live
response data
• These operations can be done independently of each other, or
combined

10
KAPE Configuration File Examples

Target Configs Module Configs

Description: Amcache.hve Description: 'AmcacheParser: extract program execution
Author: Eric Zimmerman information'
Version: 1 Category: ProgramExecution
Id: 13ba1e33-4899-4843-adf1-c7e6b20d759a Author: Eric Zimmerman
RecreateDirectories: true Version: 1
Targets: Id: 4190c518-524f-4623-8038-a014784c018c
- BinaryUrl:
Name: Amcache https://f001.backblazeb2.com/file/EricZimmermanTools/Amcache
Category: ApplicationCompatibility Parser.zip
Path: C:\Windows\AppCompat\Programs\Amcache.hve
ExportFormat: csv
IsDirectory: false
FileMask: Amcache.hve
Recursive: false
Processors:
Comment: ""
- -
Name: Amcache transaction files Executable: AmcacheParser.exe
Category: ApplicationCompatibility CommandLine: -f %sourceFile% --csv %destinationDirectory% -i
Path: C:\Windows\AppCompat\Programs\Amcache.hve.LOG* ExportFormat: csv
IsDirectory: false
Recursive: false
Comment: ""

Complete KAPE Manual - https://ericzimmerman.github.io/KapeDocs

12
GKAPE Can Build the Command Line

• Great way to learn the

KAPE CLI
• Cut & Paste to
command line to build
scripts of batch files

14
 KANSA
Tools for Speed and Agility

15
PowerShell Basics

• Verb-noun naming scheme

• Get-Process
• Get-Command
• Large number of aliases (Dir == Get-ChildItem)
• Get-Alias *
• Output is objects that are passed to other cmdlets
• Get-Service | Out-GridView
• Netstat.exe | Select-String ‘Established’
• Direct access to providers like disk and registry
• Get-ChildItem HKLM:Software | Format-Wide
16
PowerShell Basics: Remoting

• WinRM Service required

• Enabled by default on Server 2012+
• Enter-PSSession
• Provides remote shell; Alternative to SSH
• Invoke-Command
• Allows concurrent one-to-many command execution
• Filtering accomplished on remote host

17
PowerShell Basics: Authentication

• Best-case scenario from security perspective

• Default is nondelegated Kerberos
• Precludes delegate token stealing
• Do NOT use CredSSP (dual-hop) auth
• Non-interactive (Type 3) logon
• Even Enter-PSSession does not cache creds
• Credentials not passed to remote system and hence
not available to tools, such as Mimikatz, Incognito,
etc.
18
Kansa: PowerShell IR Framework
• Designed by Dave Hull to scale IR data collections
• Framework organizes data collection and module selection
• Modules are written as PowerShell scripts
• Easily scales to thousands of systems via PowerShell remoting
• Not confined to PowerShell cmdlets—execute virtually anything

19
Running Kansa
.\kansa.ps1 -OutputPath .\Output\ -TargetList .\hostlist -
TargetCount 250 –Verbose -Pushbin

20
Kansa Modules.conf

21
Kansa + Third-Party Tools

• Kansa is not limited to WMI or PS cmdlets

• It can also push and execute binaries
• Place in the .\Modules\bin directory
• Use –Pushbin argument
• Remove binaries after execution with –Rmbin
• Output returned and formatted as PS objects
• Binaries can be deleted or left for future use

Get-Autorunsc.ps1 Get-FlsBodyfile.ps1 Get-ProcDump.ps1

Get-CertStore.ps1 Get-Handle.ps1 Get-RekalPslist.ps1

22
VELOCIRAPTOR
Tools for Speed and Agility

25
The Case for Velociraptor

• Michael Cohen is the creator & lead developer

• Former software engineer at Google
• Lead developer to GRR & Rekall
• Like GRR, Velociraptor is multi-platform
• Supports Windows, Mac, and Linux
• Unlike GRR, very simple and lightweight design
• Written in Go, for better performance and portability
• Friendly open-source license
• Affero GPL
Velociraptor’s Design Goals
• Triage - Focus on endpoint data collection and monitoring
• Flexibility - Velociraptor can adapt easily to new requirements
without needing to redeploy either clients or servers.
• Remove abstractions - Velociraptor aims to be as simple to
understand as possible.
• Simplify deployments - Velociraptor ships
as a single, statically linked executable
which can perform all actions necessary for
deployments.
“In short…Velociraptor wants to be something
like this!” ☺
https://www.velocidex.com/blog/html/2018/08/10/introducing_velociraptor.html

27
Velociraptor Features

Powerful capabilities include:

• A purpose-built IR query language to analyze disk- & memory-based artifacts
• Query one host directly, or many through “hunts”
• Currently scales to ~10,000 clients (development underway to support ~100,000 clients)

• Interactive shell for real-time interaction with clients

• Ongoing queries for continuous client monitoring
• Automated response capabilities
• Triage-mode allows for standalone collection and parsing of data
• Support for Windows, Linux, and Mac operating systems
What Are Velociraptor “Artifacts”?

• Velociraptor “artifacts” are stored VQL queries

• There are many built-in artifacts. A few examples include:
• List running processes
• Enumerate users that have logged into the system
• Run and collect Autoruns persistence data
• Collect historical “Evidence of Execution” data
• Search for specific files or directories
• Use KAPE target files to collect pertinent triage data
• Easy to modify and create custom artifacts
• Use one of the many built-in artifacts as a template to create your own
• Share back your custom artifacts
Velociraptor Web Frontend – Client List

Configurable by administrator
Uniquely identifies the endpoint

30
Velociraptor Web Frontend – Artifact Repository
Here the keyword “process” is searched
and 28 relevant artifacts were found

In this example,
there is an
additional
parameter to
filter processes
by name

31
Velociraptor Web Frontend – Accessing File Contents (1)
Download all files from the
highlighted directory

Directory contents are listed

here after being retrieved

Download the highlighted file

32
Velociraptor Web Frontend – Accessing File Contents (2)

Icon indicates file was downloaded

Several viewing options available,

and the full file can also be exported

File contents
viewing pane
(currently on
HexView)
33
Velociraptor Web Frontend – Creating a Hunt
The “plus” button starts a wizard to
define a new hunt

Use the filter field to find the

artifact to use in the new hunt

Be sure to click “Add” to choose

the artifact. In this case we chose
our custom CommandLine artifact

34
Velociraptor Web Frontend – Starting a Hunt
Once created, the hunt has to be
started by using the “Play” button

Client status is shown

and available results
can be prepared to
download as a zip

The Overview tab shows key

settings for the hunt, such as the
artifact(s) used in the hunt and any
parameters provided
35
 Velociraptor Web Frontend – Analyze Hunt Results

Hostname with unique

Client ID provided
PowerShell with encoded
command located

Only one PowerShell encoded

command found across 7 hosts

36
Where do you want to go today?

With a huge variety of built-in artifacts, and the ability to customize them easily,
there’s almost no limit to Velociraptor’s hunting and analysis capabilities!
Filesystem Timeline Memory Acquisition Autoruns
Windows Timeline Processes, DLLs Permanent WMI Events
Prefetch Timeline VAD, Handles, Mutants Scheduled Tasks
KAPE Triage Impersonation Tokens Service Creations
Volume Shadow Copy Netstat, ARP Certificate Store
MFT, $I30 DNS Queries SRUM, BAM
File Finder Event Logs ShimCache, AmCache
YARA Scanning User ProfileList UserAssist
Rapid-Response Tooling Solutions

Supported
Primary Use Deployment Primary Primary
Solution Operating
Case Strategy Advantage Disadvantage
Systems

Triage imaging &

Manual - Designed for Powerful yet Limited remote
KAPE Windows artifact post-
standalone use cases simple to use imaging options
processing

Uses PowerShell
Not designed for
Incident response Enable PowerShell Remoting for
Kansa Windows forensic
& threat hunting Remoting via GPO efficiency and
acquisition
credential safety

New project with

Triage imaging, Use software Extremely
Windows, Mac, & few large-scale
Velociraptor incident response, management tools or flexible with
Linux deployments so
& threat hunting GPO to deploy agents multi-OS support
far

38
References & Resources
• KAPE
• Download: https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-
parser-extractor-kape
• Pre-configured KAPE files: https://github.com/EricZimmerman/KapeFiles
• Kansa
• Download: https://github.com/davehull/Kansa
• Kansa to Splunk & Graylog: https://powerhunt.org/enterprise-dfir-on-a-budget/
• Velociraptor
• Download & docs: https://www.velocidex.com/docs/getting-started/
• Blog articles: https://www.velocidex.com/blog/

• Carlos Cajigas Contact me on twitter @carlos_cajigas

• http://www.mashthatkey.com/2020/06/installing-velociraptor-server-on.html

39