One of my favorite tools, or combination of tools I should say, is Reg Ripper and auto_rip, created by Harlan Carvey and Corey Harrell respectively. I use these two tools together (among other feeds) to rapidly assess potentially compromised systems in an attempt to understand quickly what nefarious activities I could be faced with. I have integrated these tools as part of my Rapid Assessment and Triage for alerts that I get sent from the SOC.
Even before I consider the need for a full disk image capture I will use this procedure, "Parsing Windows 7 Registry Hives with auto_rip" to assist in that decision making process. Quite often it has weeded out false positives and place the staff back on stand-by.
Please take a look and comment if you can. I encourage feed back and would really like to see some input/ideas on how other folks may be using these tools.
The procedure can be viewed here via Google Drive.
Mr. Orinoco
No comments:
Post a Comment