Windows.Memory.Intezer

Runs an Intezer agent scan on the endpoint.

  • Scan: The scanner collects running code from memory and sends it to Intezer Analyze. Scans take approximately five to ten minutes. The first scan may take additional time.

Please note: The scanner only collects executable code, not documents or any other data that is not binary code.

  • Analyze: The collected modules are analyzed using Genetic Malware Analysis technology.

  • View results: https://analyze.intezer.com/ endpoint analysis report.


name: Windows.Memory.Intezer
description: |
   Runs an Intezer agent scan on the endpoint.

   - Scan: The scanner collects running code from memory and sends it to Intezer Analyze.
     Scans take approximately five to ten minutes. The first scan may take additional time.

   Please note: The scanner only collects executable code, not documents or any other
   data that is not binary code.

   - Analyze: The collected modules are analyzed using Genetic Malware Analysis technology.

   - View results: https://analyze.intezer.com/ endpoint analysis report.

author: Matt Green - @mgreen27

required_permissions:
  - EXECVE

tools:
  - name: Intezer
    url: https://analyze.intezer.com/api/scans/download

type: CLIENT

parameters:
   - name: ApiKey
     description: Intezer API key to scan with
     default:

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- first get context on target binary
      LET bin <= SELECT *
        FROM Artifact.Generic.Utils.FetchBinary(
            ToolName="Intezer")

      -- execute payload
      SELECT * FROM execve(argv=[ bin.OSPath[0], '-k', ApiKey ])