FireEye Incident Response using - DriverSearch.bat
Memoryze DriverSearch.bat is a tool inside FireEye’s famous Memoryze. What it does is execute DriverAuditSignature.Batch.xml to find all loaded drivers using a signature.
DriverSearch.bat is basically used to find drivers.
DriverDD.bat has its set of paramaters:
- –input – name of image to parse (omit -input for live memory)
- -imports – true | false enumerates the drive’s imports.
- -exports – true | false enumerate the driver’s imports.
- -MD5 – true | false hash the driver on disk. (Default: false)
- -SHA1 – true | false hash the driver on disk. (Default: false)-
- -SHA256 – true | false hash the driver on disk. (Default: false)
- -digsig -true|false verify if the driver is signed on disk(Default:false)
- -strings -true|false inspect all the strings of a process (Default:false)
- -output – directory in which to write results. Defaults to ./Audits
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.