Judge Jury and Executable

A Threat Hunting Forensics Tool

A threat hunting forensics tool designed to identify and analyze potential security threats in files and directories. The tool collects various file properties, such as owner, creation timestamp, modification timestamp, and compilation date.

Features

• Collects file properties, including owner, creation timestamp, modification timestamp, and compilation date
• Allows for the creation of canned queries to detect anomalies and potential security threats
• Provides a list of all files in a directory or on a system with their respective properties

Example Queries

A query can be created to identify all files in a specific directory that are not owned by TrustedInstaller. This could indicate that malware has been installed.

SELECT  TOP 1000 * 
FROM   [FileProperties] 
WHERE 
         [FileOwner] <> 'TrustedInstaller' 
    AND  [DirectoryLocation] = ':\Windows\System32' 
ORDER BY [PrevalenceCount] DESC

Another query can be created to detect potential timestomping or backdating of files. This involves checking that the MFT creation timestamp matches the OS-reported creation timestamp.

SELECT  TOP 1000 * 
FROM   [FileProperties] 
WHERE 
    ([MftTimeAccessed] <> [LastAccessTime]) OR
    ([MftTimeCreation] <> [CreationTime]) 
ORDER BY [DateSeen] DESC

Benefits

• Allows for the detection and analysis of potential security threats in files and directories
• Provides a list of all files with their respective properties, allowing for further analysis and investigation
• Enables the creation of canned queries to detect specific types of anomalies or threats

Limitations

• This tool is designed to identify and analyze potential security threats, but it may not catch every type of threat or anomaly.
• The effectiveness of this tool depends on the quality of the data collected and the queries created.

> Visit Judge Jury and Executable Website <