From ESET Website:
ESET SysInspector® is a free, state of the art diagnostic tool for Windows systems. It is also an integral part of ESET Smart Security 6 and ESET NOD32 Antivirus 6. It peers into your operating system and captures details such as running processes, registry content, startup items and network connections. Once a snapshot of the system is made, ESET SysInspector applies heuristics to assign a risk level for each object logged
SysInspector is an excellent tool for first responders, as it can gather useful volatile and non-volatile information of a computer with suspicious behavior, and can be used to compare a freshly installed image of the computers in your organization, against a current image that is behaving suspiciously. In the next example I will execute SysInspector before and after executing a malware, and demonstrate how the IOCs can be found easily.
First, I execute the tool, before running any malware:
Nothing suspicious here… You can see here a lot of useful information, such as running processes, open connections, important registry values,services, drivers and much more. Now I will execute the malware (This time I will execute CryptoLocker), and save another XML report with SysInspector. Now it`s time to compare both logs:
A new file dropped by the malware:
A registry key to achieve persistence:
And finally, some network activity by the processes we have discovered earlier:
CryptoLocker is relatively old, Most AVs have signatures for it, but a big part of new malware that AVs can`t identify can be detected using the same technique.
SysInspector is a really useful tool, That can shorten the incident response time, and focus the response team on what`s important.
SysInspector can be downloaded from the ESET Website below: