Thursday, July 21, 2011

Tools in the Toolbox – The Beginnings - Collection Script

Recently my team at work has started to take a more active approach in malware incident response. This is a giant step for us as we move to align more to a security needs standpoint then a business need standpoint. With this change we are working at getting a consistent response to the collection of data from the impacted machine.  Since this part interests me I have tried to take on a more active role. One thing that I am working at putting together is a collection of tools that can be loaded on a collection USB and utilized to grab a baseline of our data.

One of the first hurdles I have overcome is the need to pass command line arguments on some of the applications to gather the detail we need. Since we are relying on a third party to gather this information we want this as smooth as possible.

I am stronger in my VBScript-Foo, then most of the others scripting languages out there, so I created a vbscript that will provide the command line values for my applications.
Currently it is only running Mandiants Red Curtain. I will be adding the following command line capabilities:
Symantec Endpoint Protection  Analysis Tool (available to Symantec Endpoint Protection Clients)
Mandiant Red Curtain
Mandiant Red Line (Memoryze, currently producing errors, not included)
Here is the script:
 'We need to identify who we are collectign information from   
strUser=inputbox("userID of Impacted User")
'This finds the current directory so we can properly call scripts out
Set oShell = CreateObject("WScript.Shell")
Set ofso = CreateObject("Scripting.FileSystemObject")
oShell.CurrentDirectory = oFSO.GetParentFolderName(Wscript.ScriptFullName)
pathname=oShell.CurrentDirectory
'Creates our Shell and then run commands, passing variables as needed.

Dim shell
    Set shell = CreateObject("WScript.Shell")
  'Getting Red_Curtain report and saving it   
  Return = shell.Run("cmd /K CD " & pathname & "Red_Curtain & MRCAgent.exe epcompilersigs.dat eppackersigs.dat roamingsigs -r c:\ " & strUser &".xml", 1, false)
 'Getting SEP Report and saving it.
 Return = shell.run("cmd /K CD " & pathname & "SEP_Tools & Sep_SupportTools.exe. -noup -def -fg -lp -out " & pathname & "Results", 1, false)
    'Getting Redline and Memoryze report and saving it
     Set shell = Nothing

**Disclaimer:
This code is provided as is with no warranty, it is designed to make my life easier, and hopefully yours as well.

Known Issues:
It will open a new command prompt for each task, it will run each task simultaneously.
I would like it to run then in order, one at a time so the information is not corrupted, also in the same window would be great.

I will update this script as I add more to it. 

Feature Request: Adding some sysinternal items to it. 

External Resources:
Redline on USB Drive

3 comments:

  1. Good Post. Curious what is Symantec Endpoint Protection Analysis Tool exactly. I cannot seem to find much via google.

    Also check out TCStool's U3 Switchblade as he has a fair amount Win cmd line stuff scripted in the forensicsstart.bat file < might save you some time if you want to grab that stuff

    http://www.irongeek.com/i.php?page=videos/incident-response-u3-switchblade

    ReplyDelete
  2. SEP Analysis Tool is distributed with the Symantec Endpoint Protection software. From Symantec:

    The Symantec Endpoint Protection Support Tool is a utility designed to quickly and efficiently diagnose common issues encountered with Endpoint Protection and the Endpoint Protection Manager. With this release, the utility is limited to diagnosing problems on the local computer (that is, the computer that is running the utility). If a problem is identified, the tool will direct you to a solution, or the information can be provided to Tech Support, who can guide you through the next steps.

    http://www.symantec.com/business/support/index?page=content&id=TECH91280&locale=en_US

    It has a couple of uses:
    Pre-installation check for installing the SEP Console.
    Load Point Analysis
    Power Eraser

    I will work on setting a blog posting of this to highlight the features that we use, and its capabilities.

    ReplyDelete
  3. Thanks for the info and link Ill check it out

    ReplyDelete