Helpful Navigation Toolbar

Wednesday, April 16, 2014

Updates to the Windows Live Response tool collection

Good news everyone!! I found some time during the early part of this week to make a couple of updates to the Windows version of the Live Response tool collection. 

The first update is Pinpoint Version 0.2.0 (which was actually released back in February) from Kahu Security. The tool is great for helping to identify possible malicious content on a webpage. The following description of the tool is taken directly from website:

"Fetches a webpage and then enumerates and analyzes its components to help identify any infected files. Pinpoint gives you various options when making an HTTP request including spoofing the user-agent string and referer. Pinpoint will not render any of the content."

The second update is PEStudio, from Marc Ochsenmeier, who has been EXTREMELY busy pushing out updates to his amazing tool. The most recent update to PEStudio has "extended blacklist and Features detection as well as fixing a bug when handling 64-bit images". Marc has also set up a Paypal donation option on his website, if you have used PEStudio to help with any of your analysis and/or research I encourage you to consider donating as a way of saying "Thank you Marc!" for all of the time, effort, and work he has put into PEStudio. I would gladly pay for a tool like PEStudio, but am very grateful that Marc offers it for free!

The third update comes as a result of using the Live Response collection in a real-world response case. After being alerted to some possible files of interest that were identified by the other tools in the script, I wished that I had the hashes of some of those files to perform some additional research to attempt to determine if those files were legitimate Windows files or if they were malicious but attempting to "look" like Windows files. If run with Administrative privileges, the script will now compute the md5 and SHA256 of Windows PE files in the "%WINDIR%\system32" folder and "%SystemDrive%/Temp" folder (if it exists). It will also compute the md5 and SHA256 of all of the files in the "%TEMP%" folder of the currently logged on user. (COMMENT: I am working on doing this for each user of a system, I need to do some more testing in an effort to perform this in the most efficient (least system intensive) way possible).

I hope that you find the update(s) useful and as always, if you come across anything to help make the collection better or if there is a feature or option you would like to add or see, please let me know! - download here 

MD5: 8603e36be474e8b69c652e5dc86adc2e
SHA-256: ec79422ce2e7218a7bc57b0caf52a5eae2eca98810ac466dddac1115aade493e 

Updated: December 12, 2016

No comments:

Post a Comment