-
Notifications
You must be signed in to change notification settings - Fork 6
/
notes.txt
75 lines (53 loc) · 2.79 KB
/
notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
######################################################################
The self contained binary winpmem.exe
-------------------------------------
This program is easiest to use for incident response since it requires no other
dependencies than the executable itself. The program will load the correct
driver (32 bit or 64 bit) automatically.
c:\..> winpmem_1.3.exe -h
Winpmem - A memory imager for windows.
Copyright Michael Cohen ([email protected]) 2012.
Version 1.3. Built Nov 12 2012
Usage:
winpmem_1.3.exe [option] [output path]
Option:
-l Load the driver and exit.
-u Unload the driver and exit.
-h Display this help.
-w Turn on/off write mode.
-1 Use MmMapIoSpace method.
-2 Use \\Device\PhysicalMemory method (Default).
-d Produce a crashdump file.
########################################################################
NOTE: changed backend server to cherrypy and to do so installed with pip install the wsgiserver
installed cherrypy-wsgiserver using this repo https://github.com/od-eon/cherrypy-wsgiserver
and copied the wsgiserver folder to the C:\Python27\Lib\site-packages\CherryPy-12.0.1-py2.7.egg\cherrypy folder
in order to see the functions
Update on cherrypy: using only pip install cherrypy worked for an installation on a VM,
but because there is a migration from wsgiserver to cheroot i installed CherryPy using
the following command pip install "cherrypy>=3.0.8,<9.0.0"
for agent to start give command line argument -agent and to stop it ctrl+c
time interval is given in minutes
installed ioc_parser (https://github.com/armbues/ioc_parser) through pip and through downloading and python setup.py install
but on windows coundn't see the package and i had to rename first the file iocp (C:\Users\Stratarxis\Downloads\ioc_parser-master\ioc_parser-master\bin)
to iocp.py and then move it one folder up in order to see the folder iocp which was needed to run
installed openpyxl to precess excel files
PROBLEMS WITH PDF PARSING
-------------------------
Alerts DL-2011 Alerts-A-2011-02-18-01 Night Dragon Attachment 1.pdf had a problem with parsing
Dark_Seoul_Cyberattack had a problem with parsing
DTL_06282015_01.pdf also
energy_at_risk.pdf
h12756_wp_shell_crew [ERROR] Text extraction is not allowed: <open file 'C:\\Users\\Stratarxis\\Downloads\\LoRa\\server\\signature-base\\pdf\\h12756-wp-shell-crew.pdf', mode 'rb' at 0x00000000068CD8A0>
solved it with printing pdf as xps and then printing the xps as pdf. DTL again cannot be parsed
IOC Term Definitions
https://github.com/mandiant/OpenIOC_1.1/blob/master/IOC_Terms_Defs.md
RAST VS LOKI VERSIONS OF DISK AND MEM SCAN
------------------------------------------
disk:
rast only does rule match - loki filename and hash check
mem:
loki checks proc connections
loki checks Sysforensics
working size
See threat miner site