Kaspersky's AmCache-EvilHunter Speeds DFIR with Automated Windows IOC Extraction
Kaspersky has developed an open-source tool called AmCache-EvilHunter to aid incident responders in Windows systems. The tool automates the parsing of the Amcache.hve registry hive and extracts indicators of compromise (IOCs) efficiently.
AmCache-EvilHunter uses the Registry Python library to load the REGF-formatted hive and has a modular architecture for extending support to custom IOC feeds or SOAR platforms. It significantly cuts manual effort and accelerates digital forensics, incident response, and recovery (DFIR) workflows by automating parsing, filtering, and threat lookups.
The tool triggers automated lookups against VirusTotal and Kaspersky OpenTIP for each identified hash, appending detection counts and threat classification tags to the output. This helps analysts quickly assess the severity of threats.
AmCache-EvilHunter allows analysts to search specific keywords or ProgramId values to confirm the presence of deleted or transient tools. It offers advanced filtering options, including heuristics to highlight anomalous entries and flags to filter out signed OS components. This ensures analysts focus on relevant data.
AmCache-EvilHunter is an invaluable tool for incident responders. It simplifies the parsing of Amcache.hve, automates IOC extraction, and aids in reconstructing execution timelines. By leveraging AmCache data, which endures even when malware auto-deletes itself, incident responders can pinpoint stealthy rootkits and generate robust IOCs, enhancing their ability to respond to threats effectively.
Read also:
- Pablo Escobar's Former Estate 'Hacienda Nápoles' to Be Transformed by Women's Organization
- Emergency services of the future revealed by Renault with the introduction of the Vision 4Rescue vehicle.
- SonicWall executive Michael Crean discusses the current state of managed security
- Companies exercise prudence towards AI adoption, ensuring secure implementation: Exploring safeguards and strategies.
