ldo-cert / orochi Goto Github PK

If some proxy is blocking git protocol, better use https for git clone repositories

Chrome

Firefox

https://volatility3.readthedocs.io/en/latest/volatility.plugins.timeliner.html?highlight=timeline
from cli sample output:
[ { "Accessed Date": null, "Changed Date": null, "Created Date": null, "Description": "Process: System (2185005104)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, { "Accessed Date": null, "Changed Date": null, "Created Date": "2010-10-29T17:08:53", "Description": "Process: smss.exe (2181951520)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, { "Accessed Date": null, "Changed Date": null, "Created Date": "2010-10-29T17:08:54", "Description": "Process: csrss.exe (2182753696)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, { "Accessed Date": null, "Changed Date": null, "Created Date": "2010-10-29T17:08:54", "Description": "Process: winlogon.exe (2178569808)", "Modified Date": null, "Plugin": "PsList", "__children": [] }, {

From doc: An enumeration.

ACCESSED= 3
CHANGED= 4
CREATED= 1
MODIFIED= 2

So using elastic would be useful put all these info using the date and visualize the rows, maybe changing colour depending on date type:

Example:

• run vt plugin and clamav plugin on windows.registry.hivedump
• run regipy against windows.registry.hivedump

don't fire and forget!

Plugin Usage:

• dlldump
• moddump
• malfind

At this point, check to see if any known malware is on the system, and to do so use ClamAV.
Then calculate hash of all dumped files and search on Virustotal.
At the end from GUI show list of dumped files with details of scan

django.db.utils.ProgrammingError: relation "users_user" does not exist
LINE 1: ...ers_user"."date_joined", "users_user"."name" FROM "users_use...
^

openapi?

At the moment is possible to drill down from dump to plugin but not up to plugin result:

If it's running there is no restart button, at the moment you must ask to change the status in admin.

volatilityfoundation/volatility3#319

Done with eb065aa

Hey, I've followed the steps listed under the installation process, and when I ran the "docker-compose up" everything worked fine other than the Django docker. It exited immediately.
I ran "docker logs orochi_django" to check why might it exited, and I saw this:

Can you help me understand why it happened and fix this issue?

Now:
from cli run registry.hivelist

from cli run registry.hivedump

run registry explorer (https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip) and open hive

We can evaluate regipy (https://pypi.org/project/regipy/) or python-registry (https://github.com/williballenthin/python-registry) and see if able to parse all hives dumped with hivedump and put results (json) on ES.

need select all, disable all and then enable only someone I need

TODO LIST:

• models
• create custom ruleset per user at creation
• admin to manage ruleset/rule
• download and parse rulesets list from awesome
• clone or pull repo of rulesets
• user page to upload/delete custom rule to his ruleset
• user page to create custom rules from available rulesets
• delete, publish custom rules
• download custom rules
• add a command to create a default with all rules from admin
• make yarascan plugin use default rule if no other file are selected
• add a default rule in website.rule that is run by default if automatic
• test compile rule in parallel or in separated task
• compile only new rule when pulling repos
• show more than 100 entries per page (like 1k, 10k)
• add help for elastic syntax
• add elastic syntax to search
• edit user rules
• copy server rules under user rules
• search text inside rules
• view selected rule (included system rules)
• create documentation

If admin doesn't set 'dump' value for plugins support it, when the users run plugins receiving error 'dump' and have to rerun again (selecting or not the dump checkbox)

In resubmit you can specify parameter in json eg:
{"dump": true}
In the gui custom file field are added for file related parameters but this is not yet possibile via api

It would be useful show the diff between multiple images.
A case can be the diff or pslist, so compare the processes between 2 images and show when a process is present in one image and not on the other:

• vmware esx
• vmware workstation
• virtualbox

Hi!

I have uploaded the dump, created the index. All good so far. Then I want to run some of the plugins. None of them return any data. When looking at the output I see two buttons to the top right, one indicating a rehash/refresh (yellow reload) and the other is a red (btn btn-sm btn-outline-danger btn-log) and when clicking that I only get the text: "Windows kernel symbols" in red. I guess this means that there's something wrong with the Windows kernel symbols (maybe create a more informative error message...?). I ran symbols_sync after installation:

Starting orochi_postgres ... 
Starting orochi_mailhog ... done
PostgreSQL is available
/usr/local/lib/python3.8/site-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.0) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
Local hash: None
Remote hash: {'windows.zip': '7ae5225fa542d043af31fb3b9f5863de', 'mac.zip': '8b111c0ea5a1dd9309cf7e79ec2c6816', 'linux.zip': '029662b9e190e8d72b7b09da19015808'}
Hashes for windows.zip are different - downloading
Removing path /src/volatility/volatility/symbols/windows.
Starting download of zip symbols windows.zip.
Download of zip symbols completed for windows.zip.
Hashes for mac.zip are different - downloading
Removing path /src/volatility/volatility/symbols/mac.
Starting download of zip symbols mac.zip.
Download of zip symbols completed for mac.zip.
Hashes for linux.zip are different - downloading
Removing path /src/volatility/volatility/symbols/linux.
Starting download of zip symbols linux.zip.
Download of zip symbols completed for linux.zip.
Updating local hashes
Clearing cache

And if I run it now:

$ docker-compose run --rm django python manage.py symbols_sync
Starting orochi_mailhog ... done
PostgreSQL is availables ... done
/usr/local/lib/python3.8/site-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.0) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
Local hash: {'windows.zip': '7ae5225fa542d043af31fb3b9f5863de', 'mac.zip': '8b111c0ea5a1dd9309cf7e79ec2c6816', 'linux.zip': '029662b9e190e8d72b7b09da19015808'}
Remote hash: {'windows.zip': '7ae5225fa542d043af31fb3b9f5863de', 'mac.zip': '8b111c0ea5a1dd9309cf7e79ec2c6816', 'linux.zip': '029662b9e190e8d72b7b09da19015808'}
Hashes for windows.zip are equal - skipping
Hashes for mac.zip are equal - skipping
Hashes for linux.zip are equal - skipping

When looking at the output from the different workers I can see quite a lot of these warning messages:

worker01_1   | WARNING 2020-11-11 08:26:06,107 __init__ 367 139935630337792 Automagic exception occurred: TypeError: super() argument 1 must be type, not Enumeration

in order to don't set manually proxy in all Dockerfile

Regarding volatility symbols, 2 possibilities:

1. add upload function
2. add docker external volume support

This to do not donwload symbols every time building docker images and save time.

In order to avoid the plugins_sync every time an user is created

• Export to MISP the selected row
• Export to MISP all bookmarked (#42) rows
• Export to MISP the timeline adding relationship

Manage zipped dumps to speed up the upload process.

As we did for Windows #30 , need do similar for Linux and Mac, when plugins will support dumping of files.

We need to decide what to support and then check if is working properly

done with 98a8815

If plugin banner that returns kernel version of linux/mac does't match the kernels contained in symbols, try to download the kernel source and create the correct symbol

Tried all AMF_MemorySamples\mac but no results

• Add version
• Add changelog

Some input are considered as integer but they are to big to be an int.
Since I don't specify index structure I need to find a way to manage this.

Instead return data of selected dump, it returns data of other dumps:

In order to easy deploy application on dask existing nodes it will be useful to provide the env with all required files and lib.

Add possibility to bookmark rows adding also some comment.
So analyst load dump(s), runs plugins, does some searches, then saves view with interesting rows.

scheduler_1 | distributed.scheduler - INFO - Receive client connection: Client-021de394-aeee-11ea-803a-0242ac12000a
scheduler_1 | distributed.core - INFO - Starting established connection
django | DEBUG 2020-06-15 09:53:04,931 client 58 139970993960704 Started scheduling coroutines. Synchronized
django | DEBUG 2020-06-15 09:53:04,932 client 58 139972761442048 Submit unzip_then_run(...), unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd
django | DEBUG 2020-06-15 09:53:04,935 client 58 139970993960704 Release key unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd
worker02_1 | DEBUG 2020-06-15 09:53:04,937 worker 45 139629552719680 Execute key: unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd worker: tcp://172.18.0.4:32847
postgres | 2020-06-15 09:53:04.942 UTC [183] ERROR: insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"
postgres | 2020-06-15 09:53:04.942 UTC [183] DETAIL: Key (dump_id)=(5) is not present in table "website_dump".
postgres | 2020-06-15 09:53:04.942 UTC [183] STATEMENT: INSERT INTO "website_result" ("dump_id", "plugin_id", "result", "description") VALUES (5, 42, 0, NULL) RETURNING "website_result"."id"
worker02_1 | WARNING 2020-06-15 09:53:04,944 worker 45 139629552719680 Compute Failed
worker02_1 | Function: unzip_then_run
worker02_1 | args: (<Dump: linux_amf_6>, 'http://es01:9200')
worker02_1 | kwargs: {}
worker02_1 | Exception: IntegrityError('insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"\nDETAIL: Key (dump_id)=(5) is not present in table "website_dump".\n')
worker02_1 |
worker02_1 | DEBUG 2020-06-15 09:53:04,944 worker 45 139629552719680 Send compute response to scheduler: unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd, {'status': 'error', 'exception': <Serialize: insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"
worker02_1 | DETAIL: Key (dump_id)=(5) is not present in table "website_dump".
worker02_1 | >, 'traceback': <Serialize: <traceback object at 0x7efdf8fcb140>>, 'text': 'insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"\nDETAIL: Key (dump_id)=(5) is not present in table "website_dump".\n', 'op': 'task-erred', 'start': 1592214784.9397027, 'stop': 1592214784.945018, 'thread': 139629080340224, 'key': 'unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd'}
django | DEBUG 2020-06-15 09:53:04,951 client 58 139970993960704 Client receives message {'op': 'task-erred', 'key': 'unzip_then_run-f79d3136cecb2d2f1b6997f6894743fd', 'exception': IntegrityError('insert or update on table "website_result" violates foreign key constraint "website_result_dump_id_e0d4660f_fk_website_dump_id"\nDETAIL: Key (dump_id)=(5) is not present in table "website_dump".\n'), 'traceback': <traceback object at 0x7f4d9b311700>}
worker02_1 | DEBUG 2020-06-15 09:53:04,985 worker 54 140206128805696 future state: run_plugin-9e750d06fcdb69f72aaa729bb865c898 - RUNNING