IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Incident Response Memory (Version 1.3.0)

From Tanium Knowledge Base
Jump to navigation Jump to search

Release Notes - Tanium Labs Incident Response Memory (Version 1.3.0)

Incident Response Memory 1.3.0.0004

Release Date: July 18, 2017

Overview

Incident Response Memory (version 1.3) is released to Tanium Labs to add raw memory analysis capabilities to the Tanium Incident Response toolset. IR Memory introduces functionality to parse the running processes, loaded modules (DLLs and drivers), and objects directly from memory structures. It also provides the ability to identify in-memory anomalies, such as evidence of code injection attacks. IR Memory is available to any customer holding a license to Tanium Threat Response or the Tanium Incident Response module.

Packages

  • Deploy Rekall
This package deploys Rekall to endpoints and then downloads the profiles needed for parsing memory via the Tanium Client API. Users must first add the 32 and 64-bit Rekall binaries to this package before running it; refer to the documentation for details.
  • Distribute Rekall Profiles
This package manually distributes profiles in air gapped environments and for distributing profiles that have been newly generated.
  • Download Rekall Profiles
This package attempts to download needed profiles on systems that have already received the Deploy Rekall package.
  • Remove Rekall
This package allows for the uninstallation and removal of Rekall from a system.
  • Run Rekall Plugins
This package allows for the selection of a Rekall plugin or ALL to be run. This must be executed prior to running any of the Rekall result sensors. Plugins supported include dlllist, filescan, handles, ldrmodules, malfind, modscan, modules, netscan, pslist, pstree, psxview, shimcachemem, threads, unloaded_modules, and vad.
  • Run Rekall yarascan
This package allows for searching in physical, kernel, and process memory for strings and YARA signatures.
  • Run Rekall Anomaly Scan
This package identifies basic malicious traits in memory such as threads loading anonymous code, injected DLLs, injected system images, and malicious injected code sections. It must be run prior to using the Rekall Anomaly Scan Results sensor.

Sensors

  • Rekall Anomaly Scan Results
Retrieves results from the Run Rekall Anomaly Scan package.
  • Rekall dlllist Results
Retrieves results from the Run Rekall Plugins package when selecting dlllist or ALL.
  • Rekall filescan Results
Retrieves results from the Run Rekall Plugins package when selecting filescan or ALL.
  • Rekall handles Results
Retrieves results from the Run Rekall Plugins package when selecting handles or ALL.
  • Rekall ldrmodules Results
Retrieves results from the Run Rekall Plugins package when selecting ldrmodules or ALL.
  • Rekall malfind Results
Retrieves results from the Run Rekall Plugins package when selecting malfind or ALL.
  • Rekall modscan Results
Retrieves results from the Run Rekall Plugins package when selecting modscan or ALL.
  • Rekall modules Results
Retrieves results from the Run Rekall Plugins package when selecting modules or ALL.
  • Rekall netscan Results
Retrieves results from the Run Rekall Plugins package when selecting netscan or ALL.
  • Rekall pslist Results
Retrieves results from the Run Rekall Plugins package when selecting pslist or ALL.
  • Rekall pstree Results
Retrieves results from the Run Rekall Plugins package when selecting pstree or ALL.
  • Rekall psxview Results
Retrieves results from the Run Rekall Plugins package when selecting psxview or ALL.
  • Rekall shimcachemem Results
Retrieves results from the Run Rekall Plugins package when selecting shimcachemem or ALL.
  • Rekall Status
Returns the current installation status and status of debug profiles needed for IR Memory to function properly.
  • Rekall threads Results
Retrieves results from the Run Rekall Plugins package when selecting threads or ALL.
  • Rekall unloaded_modules Results
Retrieves results from the Run Rekall Plugins package when selecting unloaded_modules or ALL.
  • Rekall vad Results
Retrieves results from the Run Rekall Plugins package when selecting vad or ALL.
  • Rekall Version
Returns the version of Rekall installed on the system if installed.
  • Rekall yarascan Results
Retrieves results from the Run Rekall yarascan package.

Deprecated Content

The following sensors have been deprecated from versions of the Incident Response Memory solution that preceded this Labs release.
  • Rekall PDB/GUID
This sensor has been deprecated as the information is now combined into the Rekall Status sensor.
  • Rekall Profiles
This sensor has been deprecated as the information is now combined into the Rekall Status sensor.
  • (multiple) Rekall plugin sensors
In older beta versions of the Incident Response Memory content, Rekall plugins ran as sensors rather than package / sensor combinations. If you previously deployed beta builds of Incident Response Memory, we recommend first deleting the sensors from older versions.

Incident Response Memory 1.3.0.0013

Release Date: August 8, 2017

Resolved Issues

  • Fixes an issue with the parsing of memory profiles needed on some installations. The Rekall Status sensor now properly parses the profiles needed on Windows XP and Windows 2003 Server systems.

Sensors

  • Rekall Status
This sensor should now properly return the profile versions needed for all systems with Rekall installed.

Incident Response Memory 1.3.0.0020

Release Date: August 15, 2017

Resolved Issues

  • Fixes an issue with the Incident Response Memory solution manifest. The Incident Response Memory solution is now listed in the console.