Closed kudowins closed 7 years ago
The next client generation will have this.
Any timeline as to when we might expect this next client release?
Thanks Andreas
On Thursday, March 3, 2016, Andreas Moser notifications@github.com wrote:
The next client generation will have this.
— Reply to this email directly or view it on GitHub https://github.com/google/grr/issues/226#issuecomment-191875767.
The client is mostly done so very soon. Outstanding issues we still have is that the windows nanny doesn't start on Windows server 2008 and similar and, for the Linux version, we need to sort out some startup script problems.
Looks like this feature wasn't incorporated into the new release. Will it perhaps make an appearance on the next release?
+1 for this
Yara support would be much appreciated
@grrrrrrrrr +1 Any news on this?
Performance wise might be worth doing this just for running processes / loadded dlls + drivers
Just as an FYI this works in the upcoming release via a rekall plugin.
On 17 Jun 2016 05:53, "threatcrowd" notifications@github.com wrote:
Performance wise might be worth doing this just for running processes / loadded dlls + drivers
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/grr/issues/226#issuecomment-226761085, or mute the thread https://github.com/notifications/unsubscribe/ADrYosJF_qY25AT5t6wB4fKVxqLv6UWQks5qMpjGgaJpZM4FaE3c .
@grrrrrrrrr - Any update for this? Any timeline? @scudette - Will the upcomming rekall plugin with yara support also have the ability to use the yara rules for filesystem scanning or only for memory forensics?
We did this in the recent DFRWS workshop - not sure if you were there... See the slide "Run a yara rule against all executables in the windows directory." for an explanation of how to do it with Rekall.
http://dfrws2016.rekall-forensic.com/DFRWS2016_Rekall_Workshop.pdf
It should work with GRR as well providing you issue the same request in the Rekall flow (AnalyzeClientMemory) interface although I have not tested yet.
This is available now, I'll close this issue. Let us know if this doesn't work for you.
In an effort to proactively identify malware it would be beneficial to leverage the power of yara rules related to the filesystem.