FireEye Incident Response using - DriverSearch.bat

Memoryze DriverSearch.bat is a tool inside FireEye’s famous Memoryze. What it does is execute DriverAuditSignature.Batch.xml to find all loaded drivers using a signature.

DriverSearch.bat is basically used to find drivers.

DriverDD.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • -imports – true | false enumerates the drive’s imports.
      • -exports – true | false enumerate the driver’s imports.
      • -MD5 – true | false hash the driver on disk. (Default: false)
      • -SHA1 – true | false hash the driver on disk. (Default: false)-
      • -SHA256 – true | false hash the driver on disk. (Default: false)
      • -digsig -true|false verify if the driver is signed on disk(Default:false)
      • -strings -true|false inspect all the strings of a process (Default:false)
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.