FireEye Incident Response using - ProcessDD.bat
Memoryze ProcessDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireProcessMemory.Batch.xml to acquire a specified process’ address space, including the stack, the heap, DLLs, EXEs, and NLS files.
ProcessDD.bat has its set of paramaters:
- –input – name of image to parse (omit -input for live memory)
- –pid – PID of the process to acquire. Required without process name.
- –process – process name of the process to acquire. Required without PID. directory in which to write results. Defaults to ./Audits
- -content – only acquired processes that contains a particular regex content. (Default: NULL)
- -output – directory in which to write results. Defaults to ./Audits
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.