Pentest Tools

Published on January 30th, 2016 📆 | 7085 Views ⚑

0

FastIR Collector – Windows Incident Response Tool


iSpeech.org

This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected.

[adsense size='1']
Requirements

  • pywin32
  • python WMI
  • python psutil
  • python yaml
  • construct
  • distorm3
  • hexdump
  • pytz

Execution

  • ./fastIR_x64.py -h for help
  • ./fastIR_x64.py --packages all extract all artefacts without dump package artefacts
  • ./fastIR_x64.py --packages dump --dump mft to extract MFT
  • ./fastIR_x64.py --packages all --ouput_dir your_ouput_dir to set the directory output (by default is the current directory)
  • ./fastIR_x64.py --profile you_file_profile to set your own profile extraction

Packages
Packages Lists and Artefact

  • fs
    • IE History
    • Named Pipes
    • Prefetch
    • Recycle-bin
    • health
    • ARP Table
    • Drives list
    • Network drives
    • Networks Cards
    • Processes
    • Routes Tables
    • Tasks
    • Scheluded jobs
    • Services
    • Sessions
    • Network Shares
    • Sockets
  • registry
    • Installer Folders
    • OpenSaveMRU
    • Recents Docs
    • Services
    • Shellbags
    • Autoruns
    • USB History
    • Userassists
  • memory
    • Clipboard
    • dlls loaded
    • Opened Files
  • dump
  • FileCatcher
    • based on mime type
    • possibility to filter your search
    • Yara Rules

The full documentation can be download here:https://github.com/SekoiaLab/Fastir_Collector/blob/master/documentation/FastIR_Documentation.pdf
A post about FastIR Collector and advanced Threats can be consulted here: https://www.sekoia.fr/blog/fastir-collector-on-advanced-threats
with the paper: https://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf

[adsense size='3']

Download Fastir_Collector



Leave a Reply

Your email address will not be published.