Memoryze

Posted on June 4, 2022January 24, 2025 by randrada

FireEye Incident Response using - Memoryze

Memoryze is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and, on a live system, can include the paging file in its analysis. It can perform all these functions on live system memory or memory image files, whether they were acquired by Memoryze or other memory acquisition tools.

Memoryze.exe is the executable that takes the command line parameters and executes the XML audit or script.

Memoryze command line parameters are as follows:

- - -o [directory] The optional directory argument specifies the location to store the results. If this location is not specified, the results are stored by default in /Audits//. is the name of the system on which Memoryze is executing, and is a date/time stamp in the format of YYYYMMDDHHMMSS
  - -Script executes the specific audit (*.Batch.xml)
  - -encoding [none,aff,gzip]
    - none – no encoding of the output
    - aff – compresses the output in an AFF evidence container
    - gzip – compresses the output in GZIP

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze MemoryDD

Posted on June 4, 2022January 22, 2025 by randrada

FireEye Incident Response using - MemoryDD.bat

Memoryze MemoryDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireMemory.Batch.xml to create and dump a memory image of a system.

MemoryDD.bat has its set of paramaters:

- - –offset – offset into physical memory. Omit the –offset option to acquire all memory.
  - –size – size of physical memory to acquire. Omit the –size option to acquire all memory.
  - –output – directory in which to write results. Defaults to ./Audits

Related Tools

IOC Editor by FireEye

Posted on June 3, 2022January 22, 2025 by randrada

Endpoint Incident Response using - IOC Editor by FireEye

IOC Editor by FireEye is a free tool that provides an interface for managing data and manipulating the logical structures of IOCs. IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes, and artifacts in memory.

The IOC Editor includes:

- - Manipulation of logical structures that define the IOC
  - Application of meta-information to IOCs, including detailed descriptions or arbitrary labels
  - Conversion of IOCs into XPath filters
  - Management of lists of “terms” used within IOCs

From an incident response perspective, identifying the patient zero during
the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it does automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

Redline by FireEye

Posted on June 3, 2022January 22, 2025 by randrada

Endpoint Incident Response using - Redline by FireEye

Redline by FireEye is a security endpoint tool that provides accelerated live response, host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

What are the capabilities of this tool?

With Redline, we can:

- - Audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
  - Analyze and view imported audit data, including the ability to filter results around a given time frame using Redline’s Timeline functionality features.
  - Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
  - Perform Indicator of Compromise(IOC) analysis. Supplied with a set of IOC’s, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

Windows Live Response

Posted on May 31, 2022January 22, 2025 by randrada

Endpoint Incident Response using - Windows Live Response

BriMor Labs Windows Live Response Collection is a multi-platform tool that can automate the gathering of volatile and non-volatile data from an endpoint that can be used for forensic related investigation such as memory dump, prefetch and etc. It let you choose between Complete, Memory Dump or Triage option.

Complete option will gather a memory dump, volatile data, and full disk image.

Memory Dump option will gather a memory dump and volatile data.

Triage option will gather a volatile data.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

LOKI

Posted on May 31, 2022January 22, 2025 by randrada

Endpoint Incident Response using - Loki IOC and YARA Scanner

LOKI is a simple IOC and YARA scanner. It is used to detect intrusion and infection on the system by scanning the system through signatures.

LOKI’s detection is based on four methods:

- File Name IOC which uses regex pattern to match on the full file path/name.
- YARA Rule Check which uses yara rules signatures to match on file data and process memory.
- Hash Check which is used to compare known malicious hashes with scanned files.
- C2 Back Connect Check which is used to compare connection on endpoints with C2 IOC’s

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

THOR

Posted on May 31, 2022January 22, 2025 by randrada

Endpoint Incident Response using - THOR Lite

THOR by Nextron Systems is a multi-platform IOC and YARA scanner. THOR have both enterprise and free version available in public use, THOR-lite is the free version.

THOR-Lite includes the files system and process scan modules as well as modules that extracts “autoruns” information on the different platforms.

What are the capabilities of THOR Lite?

- THOR Lite can scan different operating system ranging from Windows, Linux and MacOS
- THOR Lite has precompiled and encrypted open source signature set.
- THOR Lite can be updated to download tested versions with signature updates.
- Thor Lite after execution can present readable documentation of the results.
- Thor Lite has the option to add our custom IOCs and signatures
- Thor Lite has different output formats: text log, SYSLOG(udp/tcp/tcp+tls), JSON to file, JSON via Syslog
- Thor Lite can scan throttling to limit the CPU usage

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

WxTCmd

Posted on May 29, 2022January 24, 2025 by randrada

Incident Response with EZTools - WxTCmd

WxTCmd is bundled with EZTools. This tool is a Windows 10 timeline database parser.

Windows 10 Timeline is a feature in Windows 10 that displays user activity and makes it possible to quickly return to previous documents, programs, videos, images, and websites.

From an incident response perspective, we may want to gather or recover evidence of an activity that happened inside our suspected endpoint before behaving in such odd behavior.

Related Tools

VSCMount

Posted on May 29, 2022January 24, 2025 by randrada

Incident Response with EZTools - VSCMount

VSCmount is bundled with EZTools. This tool can be used to mount all VSCs on a drive letter to a given mount point.

Volume Shadow Copy (VSC) is a feature in Windows that allows the system to take a snapshot or backup of your files, volumes, etc.

From an incident response perspective, we may want to gather or recover evidence of a deleted file and compare the system to its previous state before the detection happened.

Related Tools

VSCMount.exe command line option and arguments

We can look for information about our Volume Shadow Copy in the following Registry paths:

HKLM\SYSTEM\CurrentControlSet\Services\VSS

HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore

The Volume Shadow Knows

Volume Shadow Copy Part 1

Volume Shadow Copy Part 2

Volume Shadow Copy Part 3

Timeline Explorer

Posted on May 29, 2022January 24, 2025 by randrada

Incident Response with EZTools - CSV XLS Format Viewer

TimeLine Explorer is bundled with EZTools. This tool is used to view CSV and Excel(xls-x) files and can do filtering, grouping, sorting, and etc.

From an incident response perspective, we may be dealing with a lot of CVS and Excel file formats when we gather artifacts. Having a tool to parse and open these documents with ease can be very useful during investigation. Because, gathering evidence and artifacts alone consumes time, and looking inside these collected artifacts without a proper tool can drown us with data.

Related Tools

Introducing and Using TimeLine Explorer