Using your vulnerability scanner to perform Incident Response

This is a post I've been thinking about writing for some time now as I was sitting at work one day. Why not use a tool we already have to do some IR on a suspect system? We have Nessus and we use it to scan systems all over the network so I know I can log into the system remotely. This would save me time and speed up my preliminary investigations. I mean Nessus already has plenty of plugins that will report on useful IR information just people have probably never thought to use it that way. So here are the plugins I've come up with to try and do some preliminary IR with Nessus.

Here is a list of the information that I need:
- Running Processes
70329 Microsoft Windows Process Information

- Active Connections
34220 Netstat Portscanner (WMI)
58651 Netstat Active Connections
64582 Netstat Connection Information

- AutoRuns (Checking for persistence)
70615 Microsoft Windows AutoRuns Boot Execute
70621 Microsoft Windows AutoRuns Logon
70625 Microsoft Windows AutoRun Scheduled Tasks

- Network Shares
10396 Microsoft Windows SMB Shares Access
10395 Microsoft Windows SMB Shares Enumeration
24271 SMB Shares File Enumeration (via WMI)
42411 Microsoft Windows SMB Shares Unprivileged Access

- Accounts
10910 Microsoft Windows Local User Information
10902 Microsoft Windows 'Administrators' Group User List
10908 Microsoft Windows 'Domain Administrators' Group User List

Using these plugins you can grab some IR information from the suspect machine that could help me quickly determine if I need to further investigate the system.


Comments

Post a Comment

Popular posts from this blog

And now for something completely different...

Over the course of my INFOSEC career I've worked in many different positions. IDS, network analysis, pentester, mobile application testing and a few others but one area has always stoked my interest. Vulnerability development is an area I wish I knew more about along with having a better grasp of reversing software. So over the next few months I've decided to try and fuel that interest by jumping into the world of fuzzing. I have chosen to start messing around with american fuzzy lop (AFL)  and see if I can find my first CVE. So here goes nothing.
Read more

Been awhile hasn't it.

It's been over a year since the last time I posted anything so I'll give a quick update. The whole AFL thing didn't pan out as much as I'd like as I never really made time for it. I did add another child into the world so I got that going for me. As for work, I'm still at Cisco Talos doing the Detection Response Team (DRT) stuff, basically creating rules for Snort and sigs for ClamAV. That's going ok, gets a little mundane at times as I'm a researcher by trade and love looking into different things, especially mobile stuff, but overall I feel it's going well. At least no one has told me otherwise. That's pretty much it for me over the last year so lets start on some new exciting info. I recently went to TROOPERS  for TROOPERS19 and it was awesome. For those that don't know, it is a computer security conference in Heidelberg, Germany that takes place in March time frame. The city of Heidelberg was beautiful and the content of the conference was
Read more

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts. ############################################################################################### # # Script: CheckJoomla.ps1 # By: Tim Muniz # Date: 20151222 # ############################################################################################### <# .SYNOPSIS This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .DESCRIPTION This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562. .PARAMETER target a host running Joomla to test. .PARAMETER Https To test a host running SSL/TLS.  This is an optional parameter. .EXAMPLE Check remote Joomla
Read more