onigiri - remote malware triage script
Check my blog about the purpose.
- You need both of Python x86 (for volatility) / x64 (for F-Response COM DLLs) if installed F-Response binaries are 64-bit
- Set the x86 python path to g_x86_python_path or specify -p option
- Volatility Installation
- Set the vol.py/plugins paths to g_vol_path and g_vol_plugins_path or specify -o and -l options
- openioc_scan
- FTK Imager CLI version
- Set the path to g_ftk_path or specify -t option
- examiner: tcp/5681
- victim: tcp/3260-3261 (Consultant), tcp/445 (Consultant+Covert, Enterprise)
- Set examinerIP/username/password for iSCSI authentication and enable PhysicalMemory/FlexdiskAPI
- Save fresponse.ini on F-Response Consultant Connector (consultant and Consultant+Covert only)
- Run F-Response License Manager Monitor on the examiner machine then start it
- Run R-Response agent program on the victim machine then start it using GUI tools (consultant and Consultant+Covert only)
- Run this script and check the result
- Type -h for help
- Specify the folder path including fresponse.ini (consultant and Consultant+Covert only). fresponse.ini should be generated on Consultant Connector, not Enterprise Management Console
- Specify credentials of domain admin or local built-in Administrator account (Enterprise only)
- Type -h for help
If any errors about win32com, try following:
-
Check the COM DLL (e.g., FCCCTRLx64.dll, FEMCCTRLx64.dll) architecture. You need x64 python and win32com for x64 DLL.
-
Check the COM API CLSIDs in registry (e.g., search FCCCTRL or FEMCCTRL). If not found, register COM Dlls using regsvr32 command. You need x86 regsvr32 (under C:\Windows\SysWOW64) if your COM DLL is 32-bit version.
regsvr32 "C:\Program Files\F-Response\FEMCCTRLx64.dll"
I checked physical memory acquisition through F-Response didn't work on some conditions:
- The target OS is Win8.1 x64
- The RAM size is big (e.g., 8GB or 16GB)
Specifically, process data structures (_EPROCESS) become null. I sent the report to F-Response and I'm waiting for the reply.
If you have DumpIt commercial version, you can use it combined with PsExec for secure memory acquisition (specify -a option and more).
Unless you start GUI application (Consultant Connector or Enterprise Management Console), you may encounter the following exception.
Traceback (most recent call last):
File "onigiri.py", line 476, in <module>
main()
File "onigiri.py", line 463, in main
fres.acquire(args.ram, file_cats, args.scan, args.alternative)
File "onigiri.py", line 260, in acquire
self.acquire_ram(computer, alternative)
File "onigiri.py", line 53, in acquire_ram
targets = victim.Targets
File "C:\Python27_x64\lib\site-packages\win32com\client\dynamic.py", line 511, in __getattr__
ret = self._oleobj_.Invoke(retEntry.dispid,0,invoke_type,1)
pywintypes.com_error: (-2147352567, 'Exception occurred.', (0, u'FEMCCTRL.Machine.1', u'iSCSI failed with a non-standard error, please contact support and provide the HRESULT code indicated.', None, 0, -268500930), None)
Please run GUI app before using onigiri.
Onigiri is a Japanese soul food, made with plain rice, wrapped in nori (seaweed), sometimes filled with pickled ume (umeboshi), kombu, tarako, or any other salty or sour ingredient as a natural preservative. Onigiri makes rice portable and easy to eat as well as preserving it. I named this tool after its convenience, inspired by Noriben.
GNU GPLv2