FireEye Incident Response using - Process.bat

Memoryze Process.bat is a tool inside FireEye’s famous Memoryze. What it does is executes ProcessAuditMemory.Batch.xml to acquire specified information, such as open ports, files, keys, memory sections, and strings, on a given process or all processes.

Process.bat enumerates everything about a process, including handles, virtual memory, network ports, and strings.

Process.bat has its set of paramaters:

      • –input – name of image to parse (omit -input for live memory)
      • –pid – PID of the process to acquire. Default: 4294967295 which is equivalent to all PIDs.
      • –process – optional name of the process to inspect. (Default: excluded)
      • -handles – true | false inspect all process handles. (Default: false)
      • -sections -true | false inspect all process memory ranges.(Default:false)
      • -ports – true | false inspect all the ports of a process. (Default:false)
      • –imports –true|false enumerate the EXE’ and DLLs’ imports(Default:false)
      • –exports – true|false enumerate the EXE’ and DLLs’ exports.Default:false)
      • -MenD5 – true | false hash the EXE and DLLs in memory. (Default: false)
      • –SHA1 – true | false hash the EXE and DLLs on disk. (Default: false)
      • –SHA256 – true | false hash the EXE and DLLs on disk. (Default: false)
      • –digsig – true|false verify if the EXE and DLLs are signed on disk. (Default: false)
      • –strings –true|false inspect all the strings of a process.(Default:false)
      • -content – only acquired processes that contains a particular regex content. (Default: NULL) 
      • -output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.