At the 2014 RSA Conference in San Francisco, CrowdStrike CTO Dmitri Alperovitch and I presented the security community with a demo ofCrowdResponseduring theHacking Exposed: Day of Destructiontalk. As many of you who have been to myHacking Exposed: Livepresentations know, I like to demo a unique hack or release a new community tool during these presentations (this goes back to my days at Foundstone).
This year was no different. CrowdResponse is a modular Windows console application designed to aid in the gathering of host information for incident response engagements. The tool was originally written to support our CrowdStrike Services team during their incident response engagements. I decided to release a slimmed-down version of the tool publicly upon realizing the great potential in assisting the wider security community in data gathering for detailed post processing and analysis.
This initial version provides three useful built-in modules. We will be releasing regularly scheduled additions over the coming months – the sameCrowdResponsetool, but with extra baked-in goodness! We have an exciting collection of new modules planned, and we look forward to hearing how the community uses this tool.
CrowdResponse supports Windows XP to Server 2012. The application contains a selection of sub-tools, or modules, each of them invoked by providing specific command line parameters to the main application, or referencing a configuration file with the parameters within.
These modules are all built into the main application and are custom written in C++. No external or third-party tools are required. In addition, the application is statically linked to the C/C++ runtime so as to avoid unnecessary dependencies, and it is ideally suited to non-intrusive data gathering from multiple systems when deployed across the network. Speed was a primary design goal in the ability to collect large amounts of information quickly.
Detailed usage and a complete user guide are included in the download, but I will give a brief introduction to its usage here.
Download CrowdResponse here.
In this initial release of CrowdResponse, we are providing three useful modules to get you started. They are as follows:
This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:
- Verify and display digital signature information
- Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
- Use a file wildcard mask to limit processing to specific file name components
- SHA256 and MD5 file hashing
- Perform “quick” hash of only the first 512 bytes of the file
- Option to not hash files greater than a given size
- Display application resource information
- Select recursive listings and control recursion depth
- Display creation, modification and access times for files
- Optionally process only Windows executable (PE) files
This is the active running process listing module.
The CrowdResponsePSList module enables the following features:
- Verify the digital signature of the process executable
- Obtain process command line
- Obtain detailed PE file information for each process executable
- Perform SHA256 and MD5 hashes of process executables
- Enumerate loaded modules for each process
- Control PE output detail level of function names for imports and exports
- Control PE output detail level of resource information
- Control format (nested or flat) for PE file resource information
- Check for process thread injection
The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:
- Scan memory of all currently active running processes
- Scan on-disk files of all currently active running processes
- Download YARA rule files from a provided URL
- Control target path recursion depth
- Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
- Use a file target wildcard mask to limit processing to specific file name components
- Option to only show positive hits
- Option to specify YARA rule file name mask
- Utilize a YARA file inclusion regular expression filter that acts on the full path name
- Scan all loaded module files of active processes
- Operate on a single process ID
- Optional recursion into provided YARA rules directory
We like to say that intelligence powers everything we do at CrowdStrike. We have spent a lot of time creating YARA intelligence indicators, which are consumed by our intelligence customers. CrowdResponsewill allow the security community at large to consume some of the publically available indictors that we discuss in our frequent blog posts. We are releasing several DEEP PANDA adversary indicators as a starting point for people to become familiar with the tool (for more information on DEEP PANDA, download the 2013 Global Threat Report). We will be releasing additional CrowdStrike adversary indicators over the coming months in our blog posts, along with their associated YARA rules that can be feed directly into CrowdResponse.
I firmly believe in giving back to the security community. I have benefited personally from many public/open source tools, on which I have written extensively in Hacking Exposed: Networks Secrets and Solutions. I truly hope CrowdResponsecan be an effective weapon in your toolkit against the adversary.
Keep an eye out for more modules, as we will continue to release new functionality on a regular basis. If you have comments or questions, please join our community. Thanks again for all your support on our mission to make the security space just a little bit better.I also want to thank our resident tool ninja, Robin Keir, for building CrowdResponse. If you were a fan of the old Foundstone tools, like Superscan, this is the guy who built them all! Finally, thanks to the entire CrowdStrike Services team – you guys are world class! If you are an organization interested in speaking to our services team for pre and post incident response services, please check out the services microsite for more information.
*We are grateful to Victor Alvarez for creating and providing the YARA library that is utilized in CrowdResponse. More information on YARA can be found at http://plusvic.github.io/yara/