Windows Analyzers

Application Analyzer (aa)

Identifies potentially malicious installed applications.

Registry Analyzer (ara)

Identifies Autoruns registry records of interest.

Scheduled Task Analyzer (asta)

Scans Scheduled task entries for items of note.

Windows Services Analyzer (awsa)

Identifies potentially malicious Windows services.

DNS Cache Analyzer (dnsa)

Scans DNS Cache records to identify abused TLDs.

Event Records Analyzer (ela)

Analyzes Event Records with the Sigma rules.

Hosts File Analyzer (ha)

Identifies host file entries with potentially malicious entries

$MFT Analyzer (mfta)

Identifies MFT records of interest

Network Share Analyzer (nsa)

Identifies potentially suspicious Network shares

Process Analyzer (pa)

Scans assets for running Processes, Process modules, and Process handles of interest

ShellBags Analyzer (sba)

Identifies suspicious entries in ShellBags

User Folders Analyzer (ufa)

Identifies suspicious entries in User Folders.

Events of Interest (wea)

Analyzer for tracking events that you are interested in. This list can be customized via config (refer to blog post here) file.

Vulnerability Analyzer (vua)

Identifying if your device is compromised with a known vulnerability.

YARA Scanner (gys)

Scans your asset with your YARA repositories.

Ransomware Identifier (rwa)

Scans the asset for ransomware using YARA rules.

AppCompatCache Analyzer

Scans AppCompatCache for suspicious entries in the executable files shimmed on the system.