Comments (5)
mbevilacqua
commented on August 12, 2024
RedLine is freely available at FireEye / Mandiant's website.
That being said, it's probably overkill to simply grab ShimCache or AmCache. I suggest automating the process with powershell or GPO's if an EDR solution is not available.
from appcompatprocessor.
mgreen27
commented on August 12, 2024
Thank you for the reply. I am actually planning a collection via MIR.
From your documentation I wasnt sure what the LUA in "AppCompat Mir LUA script (XML)" was so thought I would reach out.
from appcompatprocessor.
mbevilacqua
commented on August 12, 2024
That's a Mandiant script to acquire ShimCache using Mir but I don't think it's available to the general public. If using Mir you can simply create a RegistryAudit to pull in the registry values where ShimCache data is stored (all controlsets recommended, + RegBack) and ACP will also happily ingest that for you through the appcompat_mirregistryaudit ingest module.
from appcompatprocessor.
mgreen27
commented on August 12, 2024
Ahh makes sense. Thank you!
from appcompatprocessor.
mbevilacqua
commented on August 12, 2024
Perfect!
Since you're a Mir user you can also reach out through your FireEye point of contact and get that routed my way. I should be able to better support you from there and even send over a sample audit of what you're looking for to make the acquisition as fast as possible with Mir.
from appcompatprocessor.
Related Issues (18)
- AttributeError: 'module' object has no attribute 'dictConfig' HOT 1
- CSV Parsing Failing HOT 7
- Requirements File HOT 2
- autopoint HOT 15
- Amcache Parser HOT 7
- Shimcache hive parser HOT 3
- Tcorr Issue HOT 4
- Add Syscache.hve artifact HOT 2
- Unable to process SYSTEM hive for Windows 10 18003 Build 17134.1
- appLoadCons-# - Sqlite error: unrecognized token: "'C" HOT 1
- fsearch module on indexed fields is not saving results to output file
- Update local copy of ShimCacheParser
- tstack module reports no hits when start_date == end_date
- REG key value HOT 3
- Please make this installable via pip HOT 9
- Issue parsing amcache files HOT 2
- Appcomapt regular expression failed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from appcompatprocessor.