This artifact will trigger an intezer agent scan on the endpoint.
Scan: The scanner collects running code from memory and sends it to Intezer Analyze. Scans take approximately five to ten minutes. The first scan may take additional time. Please note: The scanner only collects executable code, not documents or any other data that is not binary code. Analyze: The collected modules are analyzed using Genetic Malware Analysis technology. View results: https://analyze.intezer.com/ endpoint analysis report.
name: Windows.Memory.Intezer
description: |
This artifact will trigger an intezer agent scan on the endpoint.
Scan: The scanner collects running code from memory and sends it to Intezer Analyze.
Scans take approximately five to ten minutes. The first scan may take additional time.
Please note: The scanner only collects executable code, not documents or any other
data that is not binary code.
Analyze: The collected modules are analyzed using Genetic Malware Analysis technology.
View results: https://analyze.intezer.com/ endpoint analysis report.
author: Matt Green - @mgreen27
required_permissions:
- EXECVE
tools:
- name: Intezer
url: https://analyze.intezer.com/api/scans/download
type: CLIENT
parameters:
- name: ApiKey
description: Intezer API key to scan with
default:
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- first get context on target binary
LET bin <= SELECT *
FROM Artifact.Generic.Utils.FetchBinary(
ToolName="Intezer")
-- execute payload
SELECT * FROM execve(argv=[ bin.OSPath[0], '-k', ApiKey ])