PE Capture Service
PE Capture Svc is the service-only version of PE Capture software application. It allows you to capture, via the service, all PE files (such as executables, DLL modules and drivers) loaded in the system. It can save a log file with the date/time, fully qualified file path and file hash to easily find the location of a captured PE file. The service version is specifically built for companies that want to install it on thousands of PCs, it has no GUI and it runs as a service in the background, thus supporting Standard User Account, Fast User Switching, Multi-Users, etc. You can also create custom exclusion rules (supporting wildcards) to not capture and log specific PE files.
Here is an interesting article wrote by Xavier Mertens that explains how PE Capture Service can be used to capture executable code “live” when the system is executing it and how to integrate the events on Splunk. In the article our tool is used specifically to capture the Locky ransomware executable file that is installed in the system via malicious .DOC (MS Word) files generally spread via email as attachments:
Hunting for Executable Code in Windows Environments
The service can be configured via a INI file, it can also be passed as a parameter, where you can enable or disable the capture of PE images, the logging feature and set the logs folder, the “capture” folder and the exclusions folder. The settings from the INI file are read in real-time, so you can for example, save the INI file in a shared folder with read-only attributes, and manage thousands of PCs from a single INI file. The service works on all versions of Microsoft Windows 32/64-bit.
PE Capture Service can be used in many ways to aid in the detection of malicious PE files loaded on a computer and simplify the work of Incident Response analysis. An example is that you can use PE Capture Service to capture all PE files to a specific folder, then you can create a script to automatically scan the folder with Yara using your custom Yara rules to identify malware. Also keep in mind, PE Capture Service is able to capture any PE file executed in the system, not just ones that are loaded, making it a very powerful security tool to effectively capture all PE files.
-Commercial License applies to all non-personal use of PE Capture Service. This includes, but is not limited to: small and home businesses, large businesses and enterprises, schools and other educational organizations, churches and other religious organizations, and government institutions. -You understand and agree that you are licensing just the right to use PE Capture Service within your organization. Use of unlicensed copies of PE Capture Service is only permitted during evaluation by the IT department or a similar function within the organization. -You should buy one license for every computer or system, on which you will install PE Capture Service, within your organization. In case you install PE Capture Service on two virtual machines, then you should buy two licenses. We consider a virtual machine as 1 computer\system. -The 1 year subscription license means that you can use the software for 1 entire year starting from the datetime of when you made the purchase. After the subscription period is terminated, you should renew your subscription if you want to continue to use PE Capture Service. -Discounts are available starting from 5+ licenses. To request a custom quote for 50+ licenses please contact us via email. We can offer special prices for schools and universities. -The payments and renewals are handled by FastSpring E-Commerce Platform. The price in USD and other currencies may vary according to Euro conversion rate. Please visit the online store to see the actual price. Please note, the price excludes VAT\IVA for European (EU) customers.
|Last Updated||21 May 2017|
|Operating System||Windows All (32-bit / 64-bit)|
Recent Changes and Fixes