LinuxCatScale - Incident Response Collection And Processing Scripts With Automated Reporting Scripts
Linux CatScale is a bash script that uses live of the land tools to collect extensive data from Linux based hosts. The data aims to help DFIR professionals triage and scope incidents. An Elk Stack instance also is configured to consume the output and assist the analysis process.
This scripts were built to automate as much as possible. We recommend running it from an external device/usb to avoid overwriting evidence. Just in case you need a full image in future.
Please run the collection script on suspected hosts with sudo rights. fsecure_incident-response_linux_collector_0.7.sh the only file you need to run the collection.
[email protected]:<dir>$ chmod +x ./Cat-Scale.sh[email protected]:<dir>$ sudo ./Cat-Scale.sh
The script will create a directory called "FSecure-out" in the working directory and should remove all artefacts after being compressed. This will leave a filename in the format of FSecure_Hostname-YYMMDD-HHMM.tar.gz
Once these are all aggregated and you have the FSecure_Hostname-YYMMDD-HHMM.tar.gz
on the analysis machine. You can run Extract-Cat-Scale.sh which will extract all the files and place them in a folder called "extracted".
[email protected]:<dir>$ chmod +x ./Extract-Cat-Scale.sh[email protected]:<dir>$ sudo ./Extract-Cat-Scale.sh
Parsing
This project has predefined grok filters to ingest data into elastic, feel free to modify them as you need.
What does it collect?
This script will procude the following files/folders which can be reviewed as text files or using Elk Stack.
bash_history - Bash history for all usersbash_profile - Bash profile file for all usersbash_rc - Bash_rc filefull-timeline.csv - Timeline of all files in the following directories: /home/* + var/www/* + /tmp/ + /dev/shm/ + /bin + /sbinbin-dir-timeline - Timeline of all files in /binbinhashes.txt - Hash of all executable files under $PATH variablebtmp-lastlog.txt - btmp last logconsole-error-log.txt - This were all the errors from the script is forwarded tocpuinfo.txt - CPU infodev-shm-dir-timeline - Timeline of all files in /dev/shm/df.txt - Information about the file system on which each FILE resides,or all file systems by default.dhcp.txt - Resolver configuration file resolv.confexecutables-list.tx t - All ELF files on disk with +x attributegroup.txt - List of groups and the members belonging to each grouphome-dir-timeline - Timeline of all files in /home/*host.conf.txt - Resolver configuration file host.confhosts.allow.txt - Host access control file hosts.allowhosts.deny.txt - Host access control file hosts.denyhosts.txt - Static table lookup for hostnames /etc/hostsifconfig.txt - ifconfig -a Outputiptables.txt - Tables of IPv4 and IPv6 packet filter rules in the Linux kernel.lastbad.txt - Records failed login attemptslastlog.txt - The most recent login of all users or of a given userlast.txt - History of all logins and logoutslsmod.txt - Kernel modules are currently loaded lsof-processes.txt - List of all open files and the processes that opened them.lsusb.txt - Attached USB device infomd5-ps.txt - ps command bin md5meminfo.txt - Memory infonetstat-ano.txt - Listing All Sockets, in numeric form with timer infonetstat-antup.txt - All tcp/udp connection in numeric form with process IDnetstat-list.txt - All tcp/udp connection in numeric form with process ID without headersnum-proc.txt - number of processes according to ps commandnum-ps.txt - number of processes according to /proc directorypackage-list.txt - All files in all rpm packagespackages-result.txt - all executables that are not part of rpm packagespasswd.txt - Copy of the passwd filepersistence-anacron.txt - All Anacron jobs persistence-cronlist.txt - All Cron jobspersistence-initd.txt - All initd scriptspersistence-profiled.txt - Scripts that run when User logs inpersistence-rc-scripts.txt - All rc scripts. (run level scipts)persistence-shellrc-etc.txt - All startup script contents in /etc/persistence-shellrc-home.txt - All startup script contents in /home/persistence-shellrc-root.txt - All startup script contents in /root/persistence-systemdlist.txt - All systemd services and execution commandlinesprocess-details.txt - All running process details and status informationprocesses-list.txt - All running process acording to psprocesses.txt - All running process acording to /proc/ directoryprocesshashes.txt - Hash of all running processesprocmod.txt - Loaded modules for all processesrelease.txt - OS informationroutetable.txt - Contents of kernel routing table. route command outputsbin-dir-timeline - Timeline of all files in /sbin/*service_status.txt - All running service and their status.ssh_config.txt - ssh service config filesshd_config.txt - ssh service config filesudoers.txt - List of sudoerstmp-dir-timeline - Timeline of all files in /tmp/*tmp-executable-files-for-diff.txt - tmp-executable-files.txt without executable type metadata for later diff operation with packagestmp-executable-files.txt - All files with +x attributes (executables)tmp-types.txt - tmp file for Find types of executable(script\|ELF\|executable)var-www-dir-timeline - Timeline of all files in /var/www/*whoandwhat.txt - w command output. Who is logged on and what they are doing.who.txt - List of users who are currently logged inwtmp-lastlog.txt - wtmp last logvarlogs - All contents of /var/logviminfo - All viminfo files... Can contain vi historic commands
Disclaimer
Note that the script will likely alter artefacts on endpoints. Care should be taken when using the script. This is not meant to take forensically sound disk images of the remote endpoints.
Tested OSes
- Ubuntu 16.4
- Centos
- Mint
- Solaris 11.4
Source: feedproxy.google.com