|
| 1 | +# Changelog |
| 2 | + |
| 3 | +All changes to MemProcFS-Analyzer will be documented in this file. |
| 4 | + |
| 5 | +## [1.2.0] - 2025-06-24 |
| 6 | +### Added |
| 7 | +- EZTools (.NET 9) |
| 8 | +- DFIR RECmd Batch File v2.11 (2025-03-31) |
| 9 | +- 423 YARA Custom Rules |
| 10 | +- FS_Process_Console |
| 11 | +- FS_SysInfo_Network: DNS Information |
| 12 | +- Digital Signature |
| 13 | + |
| 14 | +## Fixed |
| 15 | +- Minor fixes and improvements |
| 16 | + |
| 17 | +## Changed |
| 18 | +- CHANGELOG.md |
| 19 | + |
| 20 | +## [1.1.0] - 2024-09-02 |
| 21 | +### Added |
| 22 | +- Updater.ps1 |
| 23 | +- FS_Sys_Sysinfo |
| 24 | +- FS_Forensic_Prefetch |
| 25 | +- 376 YARA Custom Rules |
| 26 | +- Offline Mode |
| 27 | +- MemProcFS.log |
| 28 | +- Microsoft Protection Logs (MPLogs) |
| 29 | +- ProcessesAndModules-Extended_Info.ps1 (Collect-MemoryDump) |
| 30 | + |
| 31 | +## Fixed |
| 32 | +- Minor fixes and improvements |
| 33 | + |
| 34 | +## [1.0.0] - 2023-11-22 |
| 35 | +### Added |
| 36 | +- Improved Hunting for Suspicious Scheduled Tasks |
| 37 | +- 318 YARA Custom Rules |
| 38 | +- Get-YaraCustomRules |
| 39 | +- Kroll RECmd Batch File v1.22 (2023-06-20) |
| 40 | +- Checkbox Forensic Timeline (CSV) |
| 41 | +- Checkbox Forensic Timeline (XLSX) |
| 42 | +- FindEvil: AV_DETECT |
| 43 | + |
| 44 | +## Fixed |
| 45 | +- Minor fixes and improvements |
| 46 | + |
| 47 | +## [0.9.0] - 2023-15-25 |
| 48 | +### Added |
| 49 | +- FS_Forensic_Yara (YARA Custom Rules) |
| 50 | +- FS_Forensic_Files (incl. ClamAV) |
| 51 | +- Checking for suspicious processes with double file extensions |
| 52 | +- Checking for Command and Scripting Interpreters |
| 53 | +- Recent Folder Artifacts |
| 54 | +- Hunting Suspicious Image Mounts |
| 55 | +- OpenSaveMRU (OpenSavePidlMRU) |
| 56 | +- LastVisitedMRU (LastVisitedPidlMRU) |
| 57 | +- Terminal Server Client (RDP) |
| 58 | +- Kroll RECmd Batch File v1.21 (2023-03-04) |
| 59 | +- Improved Microsoft Defender AntiVirus Handling |
| 60 | +- Improved Drive Letter (Mount Point) Handling |
| 61 | + |
| 62 | +## Fixed |
| 63 | +- Minor fixes and improvements |
| 64 | + |
| 65 | +## [0.8.0] - 2023-01-23 |
| 66 | +### Added |
| 67 | +- MUICache |
| 68 | +- Windows Background Activity Moderator (BAM) |
| 69 | +- Check if it's a Domain Controller |
| 70 | +- Check if it's a Microsoft Exchange Server |
| 71 | +- Checking for processes spawned from suspicious folder locations |
| 72 | +- Checking for suspicious processes without any command-line arguments |
| 73 | +- Checking for suspicious process lineage |
| 74 | +- Checking for processes with suspicious command-line arguments |
| 75 | +- Parent Name (proc.csv, Processes.xlsx, and RunningandExited.xlsx) |
| 76 | +- Listing of MiniDumps |
| 77 | +- Status Bar (User Interface) |
| 78 | + |
| 79 | +## Fixed |
| 80 | +- Minor fixes and improvements |
| 81 | + |
| 82 | +## [0.7.0] - 2022-11-21 |
| 83 | +### Added |
| 84 | +- User Interface |
| 85 | +- Pagefile Support |
| 86 | +- Zircolite - A standalone SIGMA-based detection tool for EVTX |
| 87 | +- Event Log Overview |
| 88 | +- Checking for Processes w/ Unusual User Context |
| 89 | +- Process Tree: Properties View |
| 90 | +- Searching for Cobalt Strike Beacons Configuration(s) w/ 1768.py (needs to be installed manually, disabled by default) |
| 91 | +- Simple Prefetch View (based on Forensic Timeline) |
| 92 | + |
| 93 | +## Fixed |
| 94 | +- Minor fixes and improvements |
| 95 | + |
| 96 | +## [0.6.0] - 2022-10-10 |
| 97 | +### Added |
| 98 | +- Process Tree (TreeView) |
| 99 | +- Unusual Number of Process Instances |
| 100 | +- Process Path Masquerading |
| 101 | +- Process Name Masquerading (Damerau Levenshtein Distance) |
| 102 | +- Suspicious Port Numbers |
| 103 | + |
| 104 | +## Fixed |
| 105 | +- Minor fixes and improvements |
| 106 | + |
| 107 | +## [0.5.0] - 2022-09-06 |
| 108 | +### Added |
| 109 | +- BitLocker Plugin |
| 110 | +- Kroll RECmd Batch File v1.20 (2022-06-01) |
| 111 | +- FS_Forensic_CSV + XLSX |
| 112 | +- FS_SysInfo_Users |
| 113 | +- Windows Shortcut Files (LNK) |
| 114 | +- Process Modules (Metadata) |
| 115 | +- Number of Sub-Processes (proc.csv, Processes.xlsx, and RunningandExited.xlsx) |
| 116 | +- Colorized Running and Exited Processes (RunningandExited.xlsx) |
| 117 | + |
| 118 | +## Fixed |
| 119 | +- Minor fixes and improvements |
| 120 | + |
| 121 | +## [0.4.0] - 2022-07-27 |
| 122 | +### Added |
| 123 | +- Web Browser History |
| 124 | +- Forensic Timeline (CSV, XLSX) |
| 125 | +- JSON to CSV and XLSX output (including Handles) |
| 126 | +- Collecting output of pypykatz and regsecrets (MemProcFS Plugins) |
| 127 | +- RecentDocs |
| 128 | +- Office Trusted Documents |
| 129 | +- Adobe RecentDocs |
| 130 | +- Startup Folders |
| 131 | + |
| 132 | +## Fixed |
| 133 | +- Minor fixes and improvements |
| 134 | + |
| 135 | +## [0.3.0] - 2021-06-17 |
| 136 | +### Added |
| 137 | +- OS Fingerprinting |
| 138 | +- Registry Explorer/RECmd |
| 139 | +- UserAssist |
| 140 | +- Syscache |
| 141 | +- ShellBags Explorer/SBECmd |
| 142 | +- Registry ASEPs (Auto-Start Extensibility Points) |
| 143 | + |
| 144 | +## Fixed |
| 145 | +- Minor fixes and improvements |
| 146 | + |
| 147 | +## [0.2.0] - 2021-05-26 |
| 148 | +### Added |
| 149 | +- IPinfo CLI |
| 150 | +- Collecting Registry Hives |
| 151 | +- AmcacheParser |
| 152 | +- AppCompatCacheParser (ShimCache) |
| 153 | +- PowerShell module 'ImportExcel' |
| 154 | +- Collection of PE_INJECT (PW: infected) |
| 155 | +- Hunting for suspicious Services |
| 156 | +- Hunting for suspicious Scheduled Tasks |
| 157 | + |
| 158 | +## Fixed |
| 159 | +- Minor fixes and improvements |
| 160 | + |
| 161 | +## [0.1.0] - 2021-05-15 |
| 162 | +### Added |
| 163 | +- Initial Release |
0 commit comments