PECmd

Posted on May 23, 2022January 24, 2025 by randrada

Incident Response with EZTools - Evidence of Execution

PECmd is bundled with EZTools. This tool is a Prefetch Parser.

Prefetch since Windows XP: Windows creates a prefetch file every time you run the file for the first time. It is a component of a memory manager that can speed up the Windows boot process and shorten the amount of time it takes to start up programs. This file contains data that the OS needs to speed up the app’s load time whenever you run it.

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero and identify the cause or action performed before the incident was detected.

During an incident, an executable may be launched which causes our system to behave in an odd ways. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics

Prefetch Files - Part 1

Prefetch Files - Part 2

AppCompatCacheParser

Posted on May 23, 2022January 24, 2025 by randrada

Incident Response with EZTools - Evidence of Execution

AppCompatCacheParser aka ShimParser, is bundled with EZTools. This tool can be used to parse the ShimCache.

ShimCache is a component of the Application Compatibility Database, which is used by the Windows operating system to identify application compatibility issues. The cache contains data related to this Windows feature, and it is used for quick lookups to determine if modules require shimming for compatibility. (source: https://www.fireeye.com/content/dam/fireeye www/services/freeware/shimcache-whitepaper.pdf)

During an incident, an executable may be launched, which causes our system to behave in an odd way. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics

AmcacheParser

Posted on May 23, 2022January 24, 2025 by randrada

Incident Response with EZTools - Evidence of Execution

AmCacheParser is bundled with EZTools, this tool can be used to parse the Amcache.hve and provide us with a vast amount of information about what files have been executed on the system.

Amcache can provide a timeline of which program was executed and when it was first run and last modified. This also provides additional detail, giving us the File Path, Version, Hash, and etc.

During an incident, an executable may be launched, which causes our system to behave in an odd way. Getting an evidence of this execution on the system can help the responder pivot the investigation.

Related Tools

Windows Application Compatibility Forensics

Virtual File System

Posted on May 19, 2022January 22, 2025 by randrada

Endpoint Detection and Response using - Velociraptor

Velociraptor is a sophisticated digital forensic and incident response tool that improves visibility into endpoints. It was developed by DFIR professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints.

Velociraptor Query Language gives Velociraptor power and flexibility. VQL is a framework for creating highly customized artifacts, which allows you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server. (source: https://docs.velociraptor.app/docs/overview/)

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero without performing an interactive logon. This is also because during an incident, multiple endpoints might be involved and performing an interactive logon on each of these endpoints is not an ideal response for any responder.

Related Topic

Custom Artifact

Posted on May 19, 2022January 22, 2025 by randrada

Endpoint Detection and Response using - Velociraptor

Related Topic

Velociraptor Hunt

Posted on May 19, 2022January 22, 2025 by randrada

Endpoint Detection and Response using - Velociraptor

Velociraptor is an advance digital forensic and incident response tool that enhances your visibility to your endpoints. It was developed by DFIR professionals who need powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints.

Velociraptor Query Language that provides Velociraptor the power and flexibility. VQL is a framework for creating highly customized artifacts, which allow you to collect, query and monitor almost any aspect of an endpont, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server. (source: https://docs.velociraptor.app/docs/overview/)

In an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero without performing interactive logon also because during an incident multiple endpoint might be involved and performing interactive logon on each of these endpoint is not an ideal response for any responder.

Related Topic

Shell Feature

Posted on May 18, 2022January 22, 2025 by randrada

Endpoint Detection and Response using - Velociraptor

Related Topic

Velociraptor Windows

Posted on May 18, 2022January 22, 2025 by randrada

Endpoint Detection and Response using - Velociraptor

Related Topic

In this lab, we will download and install Velociraptor on Windows for us to have a quick glimpse of what it looks like.

First, go to https://github.com/Velocidex/velociraptor/releases

Then, download the desired choice of release.

To instantly run Velociraptor,

First, open Command Prompt as Administrator and change the directory where the downloaded file is saved.

Next, run the following syntax: <velociraptor_file> gui

#note: Recommended if you want to install Velociraptor as a self-contained client and server on your local machine for testing purposes.

Velociraptor Linux

Posted on May 18, 2022January 22, 2025 by randrada

Endpoint Detection and Response using - Velociraptor

Related Topic

Advance log analysis

Posted on May 15, 2022January 22, 2025 by randrada

Eventlog Analysis using Windows tool - Powershell

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder.

Related Topic