Tanium 6.x: Tanium IR Gatherer Data

IR Gatherer - Collect Info To Central Server

  • Autoruns
  • Cached AD Logins
  • All Raw Event Logs
  • AV Logs
  • Browser Logs (Chrome, Firefox, IE)
  • Prefetch Dir
  • Quarantined Files
  • Raw Registry Hives
  • Raw Registry Class
  • Raw User Registry Hives
  • Reg Ripper
  • Scheduled Tasks
  • Completed Scheduled Tasks
  • DrWatson Files
  • Host File
  • Dump Disk Info
  • Dump Memory
  • Dump USN Journal
  • Mutex Details
  • Recent Document
  • Registry Archives
  • ReKall Analysis
  • Run Command History
  • Shim Cache

Tanium Questions:

  • Established Connections
  • Established Connections with MD5
  • Running Applications
  • Running process with MD5
  • Trace Database Snapshot

IR Gatherer - Linux

  • ReKall Memory Tool
  • File System Listing
  • User Shell History (hosts, sudoers, passwd, shadow and group files)

Tanium Questions:

  • Running Process with MD5 hash
  • Loaded Modules with MD5 hash
  • MD5 of Established Connections
  • TCP/UDP Connections
  • MD5 of Listening TCP Ports

IR Gatherer - MAC

  • Memory capture including swap (optional)
  • Runs osxcollector.py (optional)
  • Runs knockknock plugins browserExtension, cronJob, logHook, startUpItem, dyLib, kext, launchDandA, overRide, rcCommon, launchdConf, loginItem (optional)
  • Collects Web Browser information for Safari, Chrome and FireFox including history cookies and cache
  • Shell history files for bourne, zsh, bash, ksh, csh, tcsh
  • Hosts File
  • Sudoers File
  • Owner group and permissions for all files on / filesystem (could be extended to do other filesystems as well)

Tanium Questions:

  • Running processes with MD5 hash
  • Loaded Modules with MD5 hash
  • MD5 of Established Connections
  • TCP/UDP Connections
  • MD5 of Listening Ports
  • DNS Cache information

Packages

  • IR Gatherer - Collect Info To Central Server
  • IR Gatherer - Linux
  • IR Gatherer - MAC
Have more questions? Submit a request