IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Incident Response Memory (Version 1.3.0)
Release Notes - Tanium Labs Incident Response Memory (Version 1.3.0)
Incident Response Memory 1.3.0.0004
Release Date: July 18, 2017
Overview
Incident Response Memory (version 1.3) is released to Tanium Labs to add raw memory analysis capabilities to the Tanium Incident Response toolset. IR Memory introduces functionality to parse the running processes, loaded modules (DLLs and drivers), and objects directly from memory structures. It also provides the ability to identify in-memory anomalies, such as evidence of code injection attacks. IR Memory is available to any customer holding a license to Tanium Threat Response or the Tanium Incident Response module.
Packages
- Deploy Rekall
- This package deploys Rekall to endpoints and then downloads the profiles needed for parsing memory via the Tanium Client API. Users must first add the 32 and 64-bit Rekall binaries to this package before running it; refer to the documentation for details.
- Distribute Rekall Profiles
- This package manually distributes profiles in air gapped environments and for distributing profiles that have been newly generated.
- Download Rekall Profiles
- This package attempts to download needed profiles on systems that have already received the Deploy Rekall package.
- Remove Rekall
- This package allows for the uninstallation and removal of Rekall from a system.
- Run Rekall Plugins
- This package allows for the selection of a Rekall plugin or ALL to be run. This must be executed prior to running any of the Rekall result sensors. Plugins supported include dlllist, filescan, handles, ldrmodules, malfind, modscan, modules, netscan, pslist, pstree, psxview, shimcachemem, threads, unloaded_modules, and vad.
- Run Rekall yarascan
- This package allows for searching in physical, kernel, and process memory for strings and YARA signatures.
- Run Rekall Anomaly Scan
- This package identifies basic malicious traits in memory such as threads loading anonymous code, injected DLLs, injected system images, and malicious injected code sections. It must be run prior to using the Rekall Anomaly Scan Results sensor.
Sensors
- Rekall Anomaly Scan Results
- Retrieves results from the Run Rekall Anomaly Scan package.
- Rekall dlllist Results
- Retrieves results from the Run Rekall Plugins package when selecting dlllist or ALL.
- Rekall filescan Results
- Retrieves results from the Run Rekall Plugins package when selecting filescan or ALL.
- Rekall handles Results
- Retrieves results from the Run Rekall Plugins package when selecting handles or ALL.
- Rekall ldrmodules Results
- Retrieves results from the Run Rekall Plugins package when selecting ldrmodules or ALL.
- Rekall malfind Results
- Retrieves results from the Run Rekall Plugins package when selecting malfind or ALL.
- Rekall modscan Results
- Retrieves results from the Run Rekall Plugins package when selecting modscan or ALL.
- Rekall modules Results
- Retrieves results from the Run Rekall Plugins package when selecting modules or ALL.
- Rekall netscan Results
- Retrieves results from the Run Rekall Plugins package when selecting netscan or ALL.
- Rekall pslist Results
- Retrieves results from the Run Rekall Plugins package when selecting pslist or ALL.
- Rekall pstree Results
- Retrieves results from the Run Rekall Plugins package when selecting pstree or ALL.
- Rekall psxview Results
- Retrieves results from the Run Rekall Plugins package when selecting psxview or ALL.
- Rekall shimcachemem Results
- Retrieves results from the Run Rekall Plugins package when selecting shimcachemem or ALL.
- Rekall Status
- Returns the current installation status and status of debug profiles needed for IR Memory to function properly.
- Rekall threads Results
- Retrieves results from the Run Rekall Plugins package when selecting threads or ALL.
- Rekall unloaded_modules Results
- Retrieves results from the Run Rekall Plugins package when selecting unloaded_modules or ALL.
- Rekall vad Results
- Retrieves results from the Run Rekall Plugins package when selecting vad or ALL.
- Rekall Version
- Returns the version of Rekall installed on the system if installed.
- Rekall yarascan Results
- Retrieves results from the Run Rekall yarascan package.
Deprecated Content
- The following sensors have been deprecated from versions of the Incident Response Memory solution that preceded this Labs release.
- Rekall PDB/GUID
- This sensor has been deprecated as the information is now combined into the Rekall Status sensor.
- Rekall Profiles
- This sensor has been deprecated as the information is now combined into the Rekall Status sensor.
- (multiple) Rekall plugin sensors
- In older beta versions of the Incident Response Memory content, Rekall plugins ran as sensors rather than package / sensor combinations. If you previously deployed beta builds of Incident Response Memory, we recommend first deleting the sensors from older versions.
Incident Response Memory 1.3.0.0013
Release Date: August 8, 2017
Resolved Issues
- Fixes an issue with the parsing of memory profiles needed on some installations. The Rekall Status sensor now properly parses the profiles needed on Windows XP and Windows 2003 Server systems.
Sensors
- Rekall Status
- This sensor should now properly return the profile versions needed for all systems with Rekall installed.
Incident Response Memory 1.3.0.0020
Release Date: August 15, 2017
Resolved Issues
- Fixes an issue with the Incident Response Memory solution manifest. The Incident Response Memory solution is now listed in the console.