GithubHelp home page GithubHelp logo

austinbgill / mig Goto Github PK

View Code? Open in Web Editor NEW

This project forked from mozilla/mig

0.0 0.0 0.0 31.36 MB

Distributed & real time digital forensics at the speed of the cloud

Home Page: http://mig.mozilla.org/

License: Mozilla Public License 2.0

Dockerfile 0.27% Makefile 1.21% Go 95.05% C++ 0.51% Assembly 0.11% SourcePawn 0.11% PHP 0.19% Shell 2.34% Python 0.22%

mig's Introduction

Mozilla Investigator (MIG)

Identifying vulnerability in remote endpoints.

Build Status

What is Mozilla Investigator?

Mozilla Investigator (MIG) is a platform for identifying vulnerability in remote endpoints. "Agents" installed throughout systems of an infrastructure answer queries regarding file systems, network states, memory, and endpoint configuration in real time. With MIG, users can obtain information from many endpoints of an infrastructure simultaneously, thus identfying risk and improving security operations.

In other words...MIG is an army of Sherlock Holmes's at your fingertips, my dear Watson!

When do I use MIG?

Suppose a critical vulnerability has just been released for your favorite PHP application. The vuln is already being exploited and security groups are releasing indicators of compromise (IOCs). The thought of inspecting thousands of systems manually isn't exactly appealing, is it?

MIG can help!

MIG searches across all systems for the signature of the vulnerable PHP app (the md5 of a file, a regex, or simply a filename) via the file module. MIG also investigates IOCs, including:

  • specific log entries
  • backdoor files with md5 and sha 1/2/3 hashes
  • IP addresses from botnets
  • byte strings in processes memories

With just a few commands, MIG users can investigate thousands of remote systems.

MIG command line demo

Design and Capability

MIG agents are designed to be lightweight, secure, and easy to deploy. You can ask your favorite sysadmins to add agents to base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the ACLs of authorized investigators. PGP keys bolster security. Even if MIG servers become compromised, nobody can access agents as long as keys are stored safely by the investigator.

MIG is also designed to be fast and asynchronous. It uses AMQP to distribute actions to endpoints and relies on Go channels to prevent blocking components. The reliability of the platform is not dependent on long-running processes, as running actions and commands are stored in a PostgreSQL database and on disk cache.

Investigations generally complete in 10 to 300 seconds. Many actions require only milliseconds for agents to run, while more demanding actions, like searching for a hash in a large directory, require a few minutes.

For MIG users, privacy and security are essential. Agents do NOT send raw data back to the platform, and only answer queries. All actions are signed by GPG keys that are NOT stored in the platform, thereby preventing infrastructure compromise.

Capability Linux MacOS Windows
file inspection check check check
network inspection check check (partial)
memory inspection check check check
vuln management check (planned) (planned)
log analysis (planned) (planned) (planned)
system auditing check (planned) (planned)

Quick Start with Docker

You can explore a local-only MIG setup using Docker. Docker provides a single container environment with most MIG components available. Note that this setup is not intended for comprehensive MIG usage.

Pull from Docker Hub:

$ docker pull mozilla/mig
$ docker run -it mozilla/mig

Alternatively, if the the source is checked out in your GOPATH, build your own image:

$ cd $GOPATH/src/github.com/mozilla/mig
$ docker build -t mozilla/mig:latest .
$ docker run -it mozilla/mig

Use MIG inside the container to query a local agent:

mig@5345268590c8:~$ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f
1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO
Following action ID 7978299359234.
 1 / 1 [=========================================================] 100.00% 0/s4s
100.0% done in 3.029105958s
1 sent, 1 done, 1 succeeded
ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search 's1'
1 agent has found results

To further explore the capabilities of MIG, see the CheatSheet.

Technology

MIG is built in Go. It uses a REST API that receives signed JSON messages. The messages are distributed to agents via RabbitMQ and stored in a PostgreSQL database.

MIG is:

  • fast in distribution
  • simple to deploy across platforms
  • secured using OpenPGP
  • focused on privacy (never retrieves raw data from endpoints)

Watch this 10 minute demonstration of the console interface:

MIG youtube video

Watch the MIG presentation at SANS DFIR Summit in Austin, TX:

MIG @ DFIR Summit 2015

Discussion

Join #mig at irc.mozilla.org (use a web client such as mibbit).

Documentation

All MIG documentation is available in the 'doc' directory and at http://mig.mozilla.org .

mig's People

Contributors

arunk-s avatar austinbgill avatar bjstrange avatar bobsaintcool avatar caiyeon avatar dajohi avatar djmitche avatar exec64 avatar gdestuynder avatar jayant-yadav avatar jboyer2012 avatar jdiez17 avatar jvehent avatar kishorbhat avatar mvanotti avatar netantho avatar novemburr avatar pwnbus avatar robmurtha avatar stephenma064 avatar sunnygkp10 avatar suriyaakudoisc avatar sushant94 avatar tydavis avatar vbmade2000 avatar yvesago avatar zsck avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.