Releases: evild3ad/MemProcFS-Analyzer
MemProcFS-Analyzer v1.1.0
Added: Updater.ps1
Added: FS_Sys_Sysinfo
Added: FS_Forensic_Prefetch
Added: 376 YARA Custom Rules
Added: Offline Mode
Added: MemProcFS.log
Added: Microsoft Protection Logs (MPLogs)
Added: ProcessesAndModules-Extended_Info.ps1 (Collect-MemoryDump)
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer v1.0
Added: Improved Hunting for Suspicious Scheduled Tasks
Added: 318 YARA Custom Rules
Added: Get-YaraCustomRules
Added: Kroll RECmd Batch File v1.22 (2023-06-20)
Added: Checkbox Forensic Timeline (CSV)
Added: Checkbox Forensic Timeline (XLSX)
Added: FindEvil: AV_DETECT
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer-v0.9
Added: FS_Forensic_Yara (YARA Custom Rules)
Added: FS_Forensic_Files (incl. ClamAV)
Added: Checking for suspicious processes with double file extensions
Added: Checking for Command and Scripting Interpreters
Added: Recent Folder Artifacts
Added: Hunting Suspicious Image Mounts
Added: OpenSaveMRU (OpenSavePidlMRU)
Added: LastVisitedMRU (LastVisitedPidlMRU)
Added: Terminal Server Client (RDP)
Added: Kroll RECmd Batch File v1.21 (2023-03-04)
Added: Improved Microsoft Defender AntiVirus Handling
Added: Improved Drive Letter (Mount Point) Handling
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer-v0.8
Added: MUICache
Added: Windows Background Activity Moderator (BAM)
Added: Check if it's a Domain Controller
Added: Check if it's a Microsoft Exchange Server
Added: jq - Command-line JSON processor
Added: Checking for processes spawned from suspicious folder locations
Added: Checking for suspicious processes without any command-line arguments
Added: Checking for suspicious process lineage
Added: Checking for processes with suspicious command-line arguments
Added: Parent Name (proc.csv, Processes.xlsx, and RunningandExited.xlsx)
Added: Listing of MiniDumps
Added: Status Bar (User Interface)
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer-v0.7
Added: User Interface
Added: Pagefile Support
Added: Zircolite - A standalone SIGMA-based detection tool for EVTX
Added: Event Log Overview
Added: Processes w/ Unusual User Context
Added: Process Tree: Properties View
Added: Searching for Cobalt Strike Beacons Configuration(s) w/ 1768.py (needs to be installed manually, disabled by default)
Added: Simple Prefetch View (based on Forensic Timeline)
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer-v0.6
Added: Process Tree (TreeView)
Added: Unusual Number of Process Instances
Added: Process Path Masquerading
Added: Process Name Masquerading (Damerau Levenshtein Distance)
Added: Suspicious Port Numbers
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer-v0.5
Added: BitLocker Plugin
Added: Kroll RECmd Batch File v1.20 (2022-06-01)
Added: FS_Forensic_CSV + XLSX
Added: FS_SysInfo_Users
Added: Windows Shortcut Files (LNK)
Added: Process Modules (Metadata)
Added: Number of Sub-Processes (proc.csv, Processes.xlsx, and RunningandExited.xlsx)
Added: Colorized Running and Exited Processes (RunningandExited.xlsx)
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer-v0.4
Added: Web Browser History
Added: Forensic Timeline (CSV, XLSX)
Added: JSON to CSV and XLSX output (including Handles)
Added: Collecting output of pypykatz and regsecrets (MemProcFS Plugins)
Added: RecentDocs
Added: Office Trusted Documents
Added: Adobe RecentDocs
Added: Startup Folders
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer v0.3
Added: OS Fingerprinting
Added: Registry Explorer/RECmd
Added: UserAssist
Added: Syscache
Added: ShellBags Explorer/SBECmd
Added: Registry ASEPs (Auto-Start Extensibility Points)
Fixed: Other minor fixes and improvements
MemProcFS-Analyzer v0.2
Added: IPinfo CLI
Added: Collecting Registry Hives
Added: AmcacheParser
Added: AppCompatCacheParser (ShimCache)
Added: PowerShell module 'ImportExcel'
Added: Collection of PE_INJECT (PW: infected)
Added: Hunting for suspicious Services
Added: Hunting for suspicious Scheduled Tasks
Fixed: Other minor fixes and improvements