Cara Cek Harga Terbaru Saat Ini : August 2020

Unknown

macSubstrate is a platform tool for interprocess code injection on macOS, with the similar function to Cydia Substrate on iOS. Using macSubstrate, you can inject your plugins (.bundle or .framework) into a mac app (including sandboxed apps) to tweak it in the runtime.

All you need is to get or create plugins for your target app.
No trouble with modification and codesign for the original target app.
No more work after the target app is updated.
Super easy to install or uninstall a plugin.
Loading plugins automatically whenever the target app is relaunched.
Providing a GUI app to make injection much easier.

Prepare

Disable SIP
Why should disable SIP

System Integrity Protection is a new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.

Usage

download macSubstrate.app, put into /Applications and launch it.
grant authorization if needed.
install a plugin by importing or dragging into macSubstrate.
launch the target app.
step 3 and step 4 can be switched
Once a plugin is installed by macSubstrate, it will take effect immediately. But if you want it to work whenever the target app is relaunched or macOS is restarted, you need to keep macSubstrate running and allow it to automatically launch at login.
uninstall a plugin when you do not need it anymore.

Plugin
macSubstrate supports plugins of .bundle or .framework, so you just need to create a valid .bundle or .framework file. The most important thing is to add a key macSubstratePlugin into the info.plist, with the dictionary value:

Key	Value
`TargetAppBundleID`	the target app's `CFBundleIdentifier`, this tells macSubstrate which app to inject.
`Description`	brief description of the plugin
`AuthorName`	author name of the plugin
`AuthorEmail`	author email of the plugin

Please check the demo plugins demo.bundle and demo.framework for details.

Xcode Templates
macSubstrate also provides Xcode Templates to help you create plugins conveniently:

ln -fhs ./macSubstratePluginTemplate ~/Library/Developer/Xcode/Templates/macSubstrate\ Plugin
Launch Xcode, and there will be 2 new plugin templates for you.

Security

SIP is a new security policy on macOS, which will help to keep you away from potential security risk. Disable it means you will lose the protection from SIP.
If you install a plugin from a developer, you should be responsible for the security of the plugin. If you do not trust it, please do not install it. macSubstrate will help to verify the code signature of a plugin, and I suggest you to scan it using VirusTotal. Anyway, macSubstrate is just a tool, and it is your choice to decide what plugin to install.

Download macSubstrate

How it works?
* Kali Linux with XFCE Desktop Environment in Windows Subsystem for Linux (WSL)
* VcXsrv X Server for Windows is doing the hard GUI lifting
* XFCE is started natively in WSL and displayed by VcXsrv

Install Voodoo-Kali:
1, Enable WSL and install Kali Linux from the Microsoft Store. Read Install Kali Linux desktop on Windows 10 from Microsoft Store

2, To start Kali Linux in Windows 10, open Command Prompt and enter the command: kali

3, Enter this commands:
  apt install wget -y
  wget https://raw.githubusercontent.com/Re4son/WSL-Kali-X/master/install-WSL-Kali-X
  bash ./install-WSL-Kali-X

4, Download and install VcXsrv Windows X Server from SourceForge

5, Start VcXsrv, accept change in firewall rules, exit VcXsrv

Run Voodoo-Kali:
Start kali in Windows as normal user (that's default), and launch Voodoo-Kali:
* as normal user: ./start-xfce
* as root: sudo /root/xtart-xfce

Run Kali Desktop in an RDP session:
In Kali Linux WSL, type: sudo /etc/init.d/xrdp start
In Windows 10, open Run and enter mstsc.exe and connect to "127.0.0.1:3390"

Status: Voodoo-Kali is in its infancy and it is far from being elegant. I'm working on it though and step by step I'll push out improvements. Below a snippet of the To-Do list:
* Clean up and comment the scripts
* Make for a cleaner exit
* Better error handling and dependency checking (get rid of sleep, etc.)
* Improve stability of Java programs
* Improve the looks??
* …

Any help is truly appreciated, in any shape or form – from tips to pull requests.
Why don't you join the forums to discuss?

Further Information:
* Offsec – Kali Linux in the Windows App Store
* MSDN – Windows Subsystem for Linux Overview

Download Voodoo-Kali

Read more

Unknown

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!

Dependencies

Python 2.7.x
git
bottle
requests
yara-python

Quickstart

Clone the project to your local directory (or download the zip file of the project)

$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r

All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.

$make help
help                           - display this makefile's help information
venv                           - create a virtual environment for development
clean                          - clean all files using .gitignore rules
scrub                          - clean all files, even untracked files
test                           - run tests
test-verbose                   - run tests [verbosely]
check-coverage                 - perform test coverage checks
check-style                    - perform pep8 check
fix-style                      - perform check with autopep8 fixes
docs                           - generate project documentation
check-docs                     - quick check docs consistency
serve-docs                     - serve project html documentation
dist                           - create a wheel distribution package
dist-test                      - test a wheel distribution package
dist-upload                    - upload a wheel distribution package

Create a virtual environment with all dependencies

$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate

Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder

$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/

Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.

$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...

Rastrea2r RESTful remote Yara/Triage tool for Incident Responders

positional arguments:  {yara-disk,yara-mem,triage}

modes of operation
 yara-disk           Yara scan for file/directory objects on disk
 yara-mem            Yara scan for running processes in memory
 triage              Collect triage information from endpoint

optional arguments:
 -h, --help            show this help message and exit
 -v, --version         show program's version number and exit


Further more, the available options under each command can be viewed by executing the help option. i,e

$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule

positional arguments:
path          File or directory path to scan
server        rastrea2r REST server
rule          Yara rule on REST server

optional arguments:
-h, --help    show this help message and exit
-s, --silent  Suppresses standard output

For ex, on a Mac or Unix system you would do:

$cd src/rastrea2r/osx/

$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar

Executing rastrea2r on Windows

Apart from the libraries specified in requirements.txt, we need to install the following libraries
- PSutil for win64: https://github.com/giampaolo/psutil
- WMI for win32: https://pypi.python.org/pypi/WMI/
- Requests: pip install requests
Compiling rastrea2r
Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
- Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
- Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki

Currently Supported functionality

yara-disk: Yara scan for file/directory objects on disk
yara-mem: Yara scan for running processes in memory
memdump: Acquires a memory dump from the endpoint ** Windows only
triage: Collects triage information from the endpoint ** Windows only

Notes
For memdump and triage modules, SMB shares must be set up in this specific way:

Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)

\path-to-share-foldertools
Output is sent to a shared folder called DATA (write only)

\path-to-share-folderdata
For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
The RESTful API server stores data received in a file called results.txt in the same directory.

Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project

Demo videos on Youtube

Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y

Presentations

rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r
https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf
Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016
https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a

Credits & References

To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542

Download Rastrea2R

Sunday, August 30, 2020

macSubstrate - Tool For Interprocess Code Injection On macOS

Related posts

Voodoo-Kali - Kali Linux Desktop On Windows 10

Rastrea2R - Collecting & Hunting For IOCs With Gusto And Style

Related word

Total Pageviews