Category: Fireeye Freeware

Memoryze DriverWalklist

Posted on by randrada

FireEye Incident Response using - DriverWalkList.bat

Download FireEye Memoryze
Memoryze User Guide
Click here to view DriverWalklist use cases

Memoryze DriverWalkList.bat is a tool inside FireEye’s famous Memoryze. What it does is executes DriverAuditModuleList.Batch.xml to enumerate a linked list in the kernel called PsLoadedModuleList.

DriverWalkList.bat is used to enumerate all modules and drivers in a linked list.

DriverWalkList.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze DriverSearch

Posted on by randrada

FireEye Incident Response using - DriverSearch.bat

Download FireEye Memoryze
Memoryze User Guide
Click here to view DriverSearch use cases

Memoryze DriverSearch.bat is a tool inside FireEye’s famous Memoryze. What it does is execute DriverAuditSignature.Batch.xml to find all loaded drivers using a signature.

DriverSearch.bat is basically used to find drivers.

DriverDD.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • -imports – true | false enumerates the drive’s imports.
      • -exports – true | false enumerate the driver’s imports.
      • -MD5 – true | false hash the driver on disk. (Default: false)
      • -SHA1 – true | false hash the driver on disk. (Default: false)-
      • -SHA256 – true | false hash the driver on disk. (Default: false)
      • -digsig -true|false verify if the driver is signed on disk(Default:false)
      • -strings -true|false inspect all the strings of a process (Default:false)
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze Process

Posted on by randrada

FireEye Incident Response using - Process.bat

Download FireEye Memoryze
Memoryze User Guide
Click here to view Process.bat use cases

Memoryze Process.bat is a tool inside FireEye’s famous Memoryze. What it does is executes ProcessAuditMemory.Batch.xml to acquire specified information, such as open ports, files, keys, memory sections, and strings, on a given process or all processes.

Process.bat enumerates everything about a process, including handles, virtual memory, network ports, and strings.

Process.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • –pid – PID of the process to acquire. Default: 4294967295 which is equivalent to all PIDs.
      • –process – optional name of the process to inspect. (Default: excluded)
      • -handles – true | false inspect all process handles. (Default: false)
      • -sections -true | false inspect all process memory ranges.(Default:false)
      • -ports – true | false inspect all the ports of a process. (Default:false)
      • –imports –true|false enumerate the EXE’ and DLLs’ imports(Default:false)
      • –exports – true|false enumerate the EXE’ and DLLs’ exports.Default:false)
      • -MenD5 – true | false hash the EXE and DLLs in memory. (Default: false)
      • –SHA1 – true | false hash the EXE and DLLs on disk. (Default: false)
      • –SHA256 – true | false hash the EXE and DLLs on disk. (Default: false)
      • –digsig – true|false verify if the EXE and DLLs are signed on disk. (Default: false)
      • –strings –true|false inspect all the strings of a process.(Default:false)
      • -content – only acquired processes that contains a particular regex content. (Default: NULL) 
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze DriverDD

Posted on by randrada

FireEye Incident Response using - DriverDD.bat

Download FireEye Memoryze
Memoryze User Guide
Click here to view DriverDD use cases

Memoryze DriverDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireDriver.Batch.xml to acquire a specified driver in memory, or all drivers.

DriverDD.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • –driver – name of driver to acquire (if not specified all drivers are acquired)
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze ProcessDD

Posted on by randrada

FireEye Incident Response using - ProcessDD.bat

Download FireEye Memoryze
Memoryze User Guide
Click here to view ProcessDD use cases

Memoryze ProcessDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireProcessMemory.Batch.xml to acquire a specified process’ address space, including the stack, the heap, DLLs, EXEs, and NLS files.

ProcessDD.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • –pid – PID of the process to acquire. Required without process name.
      • –process – process name of the process to acquire. Required without PID. directory in which to write results. Defaults to ./Audits
      • -content – only acquired processes that contains a particular regex content. (Default: NULL) 
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze

Posted on by randrada

FireEye Incident Response using - Memoryze

Download FireEye Memoryze
Memoryze User Guide
Click here to view Memoryze Download and Installation

Memoryze is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and, on a live system, can include the paging file in its analysis. It can perform all these functions on live system memory or memory image files, whether they were acquired by Memoryze or other memory acquisition tools.

Memoryze.exe is the executable that takes the command line parameters and executes the XML audit or script.

Memoryze command line parameters are as follows: 

      • -o [directory] The optional directory argument specifies the location to store the results. If this location is not specified, the results are stored by default in /Audits//. is the name of the system on which Memoryze is executing, and is a date/time stamp in the format of YYYYMMDDHHMMSS 
      • -Script executes the specific audit (*.Batch.xml)
      • -encoding [none,aff,gzip]
        • none – no encoding of the output
        • aff – compresses the output in an AFF evidence container
        • gzip – compresses the output in GZIP

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools

Memoryze MemoryDD

Posted on by randrada

FireEye Incident Response using - MemoryDD.bat

Download FireEye Memoryze
Memoryze User Guide
Click here to view MemoryDD use cases

Memoryze MemoryDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireMemory.Batch.xml to create and dump a memory image of a system.

MemoryDD.bat has its set of paramaters:

      • –offset – offset into physical memory. Omit the –offset option to acquire all memory.
      • –size – size of physical memory to acquire. Omit the –size option to acquire all memory.
      • –output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Related Tools