Windows Analyzers

  • Application Analyzer (aa)

    Identifies potentially malicious installed applications.

  • Registry Analyzer (ara)

    Identifies Autoruns registry records of interest.

  • Scheduled Task Analyzer (asta)

    Scans Scheduled task entries for items of note.

  • Windows Services Analyzer (awsa)

    Identifies potentially malicious Windows services.

  • DNS Cache Analyzer (dnsa)

    Scans DNS Cache records to identify abused TLDs.

  • Event Records Analyzer (ela)

    Analyzes Event Records with the Sigma rules.

  • Hosts File Analyzer (ha)

    Identifies host file entries with potentially malicious entries

  • $MFT Analyzer (mfta)

    Identifies MFT records of interest

  • Network Share Analyzer (nsa)

    Identifies potentially suspicious Network shares

  • Process Analyzer (pa)

    Scans assets for running Processes, Process modules, and Process handles of interest

  • ShellBags Analyzer (sba)

    Identifies suspicious entries in ShellBags

  • User Folders Analyzer (ufa)

    Identifies suspicious entries in User Folders.

  • Events of Interest (wea)

    Analyzer for tracking events that you are interested in. This list can be customized via config (refer to blog post here) file.

  • Vulnerability Analyzer (vua)

    Identifying if your device is compromised with a known vulnerability.

  • YARA Scanner (gys)

    Scans your asset with your YARA repositories.

  • Ransomware Identifier (rwa)

    Scans the asset for ransomware using YARA rules.

  • AppCompatCache Analyzer

    Scans AppCompatCache for suspicious entries in the executable files shimmed on the system.

Last updated