FACT v2.0

🔍 New and Enhanced Features in FACT v2.0

How to utilize FACT: https://youtu.be/EeaQD2kwfcQ

⭐ Detection of Suspicious Service Creation

Identifying malicious service creation in event logs is now fully supported. This essential capability helps pinpoint potential persistence mechanisms used by adversaries, allowing you to take action quickly and maintain system integrity.

⭐ Expanded Evidence of Execution

With FACT v2.0, we’ve bolstered our evidence of execution capabilities by adding:

UserAssist: Gain visibility into user activity on the system by parsing UserAssist entries, which reveal executed programs and applications.

Program Compatibility Assistant (PCA): FACT now parses PCA data to identify programs that may have compatibility issues but were executed, providing another layer of execution evidence.

These new additions help construct a more comprehensive view of user interactions and program launches on the target system.

⭐ ConsoleHost_history.txt Analysis

PowerShell commands are often used by threat actors for lateral movement and post-exploitation activities. With the inclusion of ConsoleHost_history.txt parsing, FACT v2.0 can now provide insights into command history, revealing potential malicious use of PowerShell.

🔌 New Module: Remote Tool Analyzer

Remote access tools are frequently leveraged by attackers for persistent access and lateral movement. FACT v2.0 introduces the Remote Tool Analyzer, which currently supports:

AnyDesk: Analyze key traces including:

connection_trace: Discover connections established using AnyDesk.

ad.trace: Review detailed trace logs for potential misuse.

file_transfer_trace: Identify file transfer activities, providing crucial evidence of data exfiltration or unauthorized file access.

This feature enhances your ability to detect and investigate the presence and activity of remote tools, fortifying your incident response strategies.

⚙️ General Improvements and Bug Fixes

Enhanced performance for smoother, faster analysis.

Stability improvements with minor bug fixes to ensure a more reliable user experience.

FACT v1.2

🚀 FACT v1.2 Release: Powerful New Features for Incident Response and Digital Forensics
We’re excited to announce the release of FACT v1.2, packed with new capabilities to accelerate your workflow in both Incident Response and Digital Forensics. This update introduces the highly anticipated FACT Magic module, designed to streamline the correlation of findings across multiple artifacts and significantly improve your analysis speed.

🔍 New Feature: FACT Magic Module
Correlating data from different sources can be a time-consuming task, but with the new FACT Magic module, you can now automate this process with ease. Here's a glimpse of what it can do:

Automated Artifact Correlation: Imagine spotting an RDP connection from a specific IP address (X.Y.Z.W) in event logs, followed by detecting a "Mimikatz" entry in the Master File Table, and finally discovering MIMIKATZ.EXE-.pf in the Prefetch. FACT Magic brings all these findings together automatically, helping you create a comprehensive timeline with a single click.

Faster, Focused Investigations: Just input a specific date range, and FACT Magic will quickly surface any suspicious or anomalous activity. This gives you a clear view of what’s happening during critical timeframes, whether you’re responding to a live incident or performing in-depth forensic analysis.

Enhanced Efficiency: By transforming labor-intensive, manual processes into automated workflows, FACT Magic saves you valuable time and effort, enabling faster decision-making and more accurate results.

🛠 Improvements and Bug Fixes

• General performance enhancements for smoother operation.
• Minor bug fixes for improved stability.

How to utilize FACT:

• https://youtu.be/-u5AOtH0ccM

FACT v1.0.0

Features:

• It provides a wealth of essential details about the target device, including Host-name, IP-Address, Domain Accounts, Local Accounts, and many more.
• Currently FACT Tool is focusing on key event pertaining to Account Logon Activities, Suspicious RDP connection, Activities related to New Account Creation/Deletion, Software Installation/Uninstallation Activity, Event log clearing, Windows Defender Event Analysis.

Other:

• Updated documentation to ensure instructions are easier to follow.