I updated an Events Ripper plugin recently, and added two new ones…I tend to do this when I see something new to that I don’t have to remember to run a command, check a box on a checklist, or take some other step. If I have to do any of these, I’m not going to remember these steps, so instead, I just create a plugin, drop it into the “plugins” folder, and it gets run every time, for every investigation. What’s really cool is that I can re-run Events Ripper after I add addition Windows Event Log files to the mix, or after creating a new plugin (or updating a current one); most often, it’s just hitting the up-arrow while in the command prompt, and boom, it’s done.
Here’s a look at the updates:
bitsclient.pl – I added some filtering capabilities to this plugin, so that known-good URLs (MS, Google, Chrome, etc.) don’t clutter the output with noise. There is a lot of legitimate use of BITS on a Windows system, so this log file is likely going to be full of things that aren’t a concern for the analyst, and are simply noise, obscuring the signal. I’m sure I’ll be updating this again as I see more things that need to be filtered out.
posh600.pl – I wanted a means for collecting PowerShell scripts from event ID 600 records in the Windows PowerShell Event Log, so I wrote this plugin. As with other plugins, this will provide pivot points into the timeline, helping to more easily elevate potentially malicious activity to the analyst, leveraging automation to facilitate analysis.
Similar to the bitsclient.pl plugin, I took steps to reduce the volume of information presented to the analyst. Specifically, I’ve seen on several investigations that there are a LOT<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: