FireEye Incident Response using - Process.bat
Memoryze Process.bat is a tool inside FireEye’s famous Memoryze. What it does is executes ProcessAuditMemory.Batch.xml to acquire specified information, such as open ports, files, keys, memory sections, and strings, on a given process or all processes.
Process.bat enumerates everything about a process, including handles, virtual memory, network ports, and strings.
Process.bat has its set of paramaters:
- –input – name of image to parse (omit -input for live memory)
- –pid – PID of the process to acquire. Default: 4294967295 which is equivalent to all PIDs.
- –process – optional name of the process to inspect. (Default: excluded)
- -handles – true | false inspect all process handles. (Default: false)
- -sections -true | false inspect all process memory ranges.(Default:false)
- -ports – true | false inspect all the ports of a process. (Default:false)
- –imports –true|false enumerate the EXE’ and DLLs’ imports(Default:false)
- –exports – true|false enumerate the EXE’ and DLLs’ exports.Default:false)
- -MenD5 – true | false hash the EXE and DLLs in memory. (Default: false)
- –SHA1 – true | false hash the EXE and DLLs on disk. (Default: false)
- –SHA256 – true | false hash the EXE and DLLs on disk. (Default: false)
- –digsig – true|false verify if the EXE and DLLs are signed on disk. (Default: false)
- –strings –true|false inspect all the strings of a process.(Default:false)
- -content – only acquired processes that contains a particular regex content. (Default: NULL)
- -output – directory in which to write results. Defaults to ./Audits
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.