Rastrea2r – Collecting & Hunting for IOCs

When it comes to security software many professionals are moving from traditional AV signature-based security software to programs that support several Indicators of Compromise (IOCs) feed. If you are looking for this type of solution you can check rastrea2r.

Rastrea2r is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes.
To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools (including the custom scripts) across multiples endpoints, saving the output to a centralized share for automated or manual analysis.

design of rastrea2r deployment

design of rastrea2r deployment

Some of the current supported functionalities are:

  • Fast Triaging: Execute Sysinternals tools, or any other 3rd party batch scripts (including custom scripts) to perform basic triaging
  • Forensic Artifact Collection: Capabilities to Create snapshots quickly (Implements a wrapper for CyLR tool, which collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.)
  • Web History: Collect the Browser History
  • Prefetch Tool: Collect the prefetch data in Windows as they are great artifacts for forensic investigations to analyze applications that have been run on a system.
  • Memory Dump: Acquires a memory dump from the endpoint
  • Yara Disk: Yara scan for file/directory objects on disk
  • Yara Mem: Yara scan for running processes in memory

Rastrea2r now also supports pushing the Scan Results to a Restful Server using HTTP. This functionality allows the users to deploy rastrea2r on their enterprises so that they can execute different rastrea2r commands to collect and triage the data and later store the Yara disk or Yara Mem results onto the Server for further analysis.

You can download latest version on https://github.com/

Notify of
Inline Feedbacks
View all comments