Using RegRipper
Ever wonder how to use RegRipper for analysis? After all, the tool pulls data from Registry hive files, and while there is a considerable amount of data reduction, what do you do with the data you get?
Let's look at an example. Say that you've got an issue going on with some systems, and you (a) acquire an image of a system, (b) use FTK Imager to get copies of just the Registry hive files from a live system, or (c) connect to the system via F-Response...at that point, you run RegRipper, or just rip.exe with one of the plugins to extract information from the Services key in the System hive file. If you happen to see Ndisprot listed as a service, you may have found a Trojan.Flush.M infection.
*Note: Trojan.Flush.M is apparently also known as "DNSChanger", and this blog post refers to some excellent resources for checking your network for rogue DHCP servers, including MS's own dhcploc utility.
Also, RegRipper can be used to check for the existence of patches and updates, such as KB958644, which addresses the Server service vulnerability from MS08-067.
Check out the RegRipper.net forums for some new plugins uploaded by Don Weber.
How do you use RegRipper?
Let's look at an example. Say that you've got an issue going on with some systems, and you (a) acquire an image of a system, (b) use FTK Imager to get copies of just the Registry hive files from a live system, or (c) connect to the system via F-Response...at that point, you run RegRipper, or just rip.exe with one of the plugins to extract information from the Services key in the System hive file. If you happen to see Ndisprot listed as a service, you may have found a Trojan.Flush.M infection.
*Note: Trojan.Flush.M is apparently also known as "DNSChanger", and this blog post refers to some excellent resources for checking your network for rogue DHCP servers, including MS's own dhcploc utility.
Also, RegRipper can be used to check for the existence of patches and updates, such as KB958644, which addresses the Server service vulnerability from MS08-067.
Check out the RegRipper.net forums for some new plugins uploaded by Don Weber.
How do you use RegRipper?