User Tools

Site Tools


os:kali:sansdift

SANS Sift Workstation

Download: https://www.sans.org/tools/sift-workstation/ login/pass: sansforensics/forensics

Mods

VMWare crap

Reinstalling VMware tools to enable sharing was brutal.
https://communities.vmware.com/t5/VMware-Fusion-Discussions/Update-VMware-tools-greyed-out-in-Fusion-12/td-p/2809208
copy the linux.iso from the installation software location to a place where you can mount it as cdrom image from the VMWare.
Then copy the content of the VMWare Tools folder to /tmp

tar xvzf VMwareTools-10.3.23-16594550.tar.gz 
cd vmware-tools-distrib/
./vmware-install.pl
reboot
sudo vmhgfs-fuse .host:/Share /mnt/windows_mount -o allow_other -o uid=1000

Share is the name of my shared folder

Yara rules

yara rules can be found on git : https://github.com/Yara-Rules/rules

sudo su
cd /opt
mkdir yara
cd yara
git clone https://github.com/Yara-Rules/rules.git
chown -Rh sansforensics /opt/yara

Fix volatility-yara

https://github.com/teamdfir/sift/issues/389

  • edit /usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py
185     def __init__(self, config, *args, **kwargs):
186         taskmods.DllList.__init__(self, config, *args, **kwargs)
187         config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
188                         help = 'Scan both process and kernel memory')
189         config.add_option("CASE", short_option = 'c', default = False, action = 'store_true',
190                         help = 'Make the search case insensitive')
191         config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
192                         help = 'Scan kernel modules')
193         config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
194                         help = 'Match wide (unicode) strings')
195         config.add_option('YARA-RULES', short_option = 'U', default = None,
196                         help = 'Yara rules (as a string)')

Change line 189 short_option = 'C' for 'c' and line 195 short_option = 'Y' for 'U'

If you don't do that:

$ vol.py -f black_energy.vmem --profile=WinXPSP2x86 yarascan -h
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 192, in <module>
    main()
  File "/usr/local/bin/vol.py", line 174, in main
    command = cmds[module](config)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 190, in __init__
    help = 'Make the search case insensitive')        
  File "/usr/local/lib/python2.7/dist-packages/volatility/conf.py", line 363, in add_option
    self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
  File "/usr/lib/python2.7/optparse.py", line 1021, in add_option
    self._check_conflict(option)
  File "/usr/lib/python2.7/optparse.py", line 996, in _check_conflict
    option)
optparse.OptionConflictError: option -C/--case: conflicting option string(s): -C

yara rules fix

Some malware rules are broken

  • /opt/yara/rules/malware_index.yar line 104
//include "./malware/MALW_AZORULT.yar"
os/kali/sansdift.txt · Last modified: 2021/12/29 21:03 by warnaud