FireEye Incident Response using - DriverWalkList.bat
Memoryze DriverWalkList.bat is a tool inside FireEye’s famous Memoryze. What it does is executes DriverAuditModuleList.Batch.xml to enumerate a linked list in the kernel called PsLoadedModuleList.
DriverWalkList.bat is used to enumerate all modules and drivers in a linked list.
DriverWalkList.bat has its set of paramaters:
- –input – name of image to parse (omit -input for live memory)
- -output – directory in which to write results. Defaults to ./Audits
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.