Security Ripcord

Cutaway Security Blog and Projects

Deploying GRR Clients With GRR Docker

For the TL;DR crowd, GRR Rapid Response can be configured to run on a development or small test network using GRR Docker. The GRR setup requires a repack of the GRR client as described in the repacking the client documentation and installation of the clients as described in the GRR Quick Start: Install the Clients documentation. There are a few caveats to getting it configured so that the GRR Clients can communciate with the GRR Server running in Docker. These steps are covered in this blog post.

In last weeks blog post, Creating a Docker IEEE 802.15.4 Toolkit, I talked about getting Docker up and running to test GRR Rapid Response. Installing GRR Docker is straight foward and outlined by GRRs Getting Started documentation. I will begin from there.

Creating a Docker IEEE 802.15.4 Toolkit

For the tl;dr crowd: I have started a project to consolidate IEEE 802.15.4 testing tools into a Docker image: cutaway/dot15d4_toolkit and a Githut repo: cutaway/dot15d4_toolkit. The Dockerfile in this project is designed to build, install, and run River Loop Securitys version of Killerbee, my implementation of Scapy-com, atlas rfcat, and Josh Wrights Killerzee.

While trying to understand Googles GRR Rapid Response framework I worked with the GRR Docker example deployment. Since I dont have any experience with Docker I decided I needed to understand what the GRR Docker was actually doing to get a grasp of how to communicate with systems running as a Docker container. I figured the best way to do this was to implement a simple Docker container of my own, other than the Docker Hello World.

Review OSX Program File Interactions Using Fslogger-yaml-parser

For the tl;dr crowd: fslogger-yaml has been updated to provide better user interactions relating to outputing data to files or remote UDP servers. The python parser has also been updated to provide analysis of processes detected and the files that were modified. The parser is designed to be modular and easily extended by users.

Last we left fslogger-yaml it did not have a script to easily parse the data and provide analysis of the events. Actually, as I discovered during troubleshooting, last we left fslogger-yaml it did not work properly. Both of these issues have been addressed.

Monitor Changes in OS X Using Fslogger-yaml

For the “TL;DR crowd,”: fslogger-yaml project page.

The release of EmPyre caused me to start thinking about the Indicators of Compromise (IOC) associated with it being used to interact with a system. The network artifacts, while they do need to be investigated, seem fairly straight forward to me. I am more interested in the system-based IOCs.

Since I’ve been out of the forensic arena for a while, I quickly realized that I have no idea how to track changes to system running OSX. There are, of course, system logs and Apple System Log (ASL) files. These do provide valuable information but they do not track everything. I wanted something that would provide me with enough detail that would assist in the generation of consistent IOCs.

Volatility OSX 10.8.5_12f37 Analysis Attempt

For the “TL;DR crowd,” there is nothing ground-breaking here. This is just a post to document some of the steps that I took to get back up to speed with memory analysis, a how-to.

The other day I was involved with a situation that involved collecting and analyzing the memory of an Apple system. I have to admit, it has been awhile since I’ve collected and analyzed the memory of any system. I was eager to get the memory dump and do a little checking of my own to get back up to speed with the capabilities of tools like Memoryze and Volatility.

The system was a Mac OS X Mountain Lion (10.8) 64-bit system and therefore memory was collected and analyzed with Memoryze for Mac. It was an easy process and produced the results required to gain an understanding of the system at that moment. A quick check of the system call list, using Memoryze, confirmed the OS version.

Test Post0

This is a test post. We will test links and pictures later.

Go forth and do good things, cutaway