Using your vulnerability scanner to perform Incident Response

This is a post I've been thinking about writing for some time now as I was sitting at work one day. Why not use a tool we already have to do some IR on a suspect system? We have Nessus and we use it to scan systems all over the network so I know I can log into the system remotely. This would save me time and speed up my preliminary investigations. I mean Nessus already has plenty of plugins that will report on useful IR information just people have probably never thought to use it that way. So here are the plugins I've come up with to try and do some preliminary IR with Nessus.

Here is a list of the information that I need:
- Running Processes
70329 Microsoft Windows Process Information

- Active Connections
34220 Netstat Portscanner (WMI)
58651 Netstat Active Connections
64582 Netstat Connection Information

- AutoRuns (Checking for persistence)
70615 Microsoft Windows AutoRuns Boot Execute
70621 Microsoft Windows AutoRuns Logon
70625 Microsoft Windows AutoRun Scheduled Tasks

- Network Shares
10396 Microsoft Windows SMB Shares Access
10395 Microsoft Windows SMB Shares Enumeration
24271 SMB Shares File Enumeration (via WMI)
42411 Microsoft Windows SMB Shares Unprivileged Access

- Accounts
10910 Microsoft Windows Local User Information
10902 Microsoft Windows 'Administrators' Group User List
10908 Microsoft Windows 'Domain Administrators' Group User List

Using these plugins you can grab some IR information from the suspect machine that could help me quickly determine if I need to further investigate the system.


Comments

Popular posts from this blog

And now for something completely different...

Well I guess it's time to start this back up.

Been awhile hasn't it.