Native Executable Lookup

Comprehensive Windows native executable and binary analysis service for malware detection and threat hunting.

Module Overview

Have you ever wondered what kbdfi1.dll under System32 is? Do you know what riched32.dll is and if it belongs on any Windows system natively? Well, neither do we, until now.

The Native Executable Lookup module provides instant insights on core Windows executables, DLLs, and system binaries that come with different versions of Windows operating systems, service packs, versions and more. While traditional tools leave you guessing about suspicious files and struggling with time-consuming manual research, this module delivers immediate insights on the executable name, path, and all of their registered over time executable Description, Product Name, Company Name and Runtime Window Title if they have been spotted in any Windows installation that we have indexed.

Whether you're investigating suspicious processes, validating system binaries, or hunting for living-off-the-land attacks, this module accelerates your analysis from hours to seconds by providing detailed file intelligence, behavioral indicators, and contextual threat information that enables rapid security decisions. This module is not meant to be used as a "green light" when you spot a particular file name or path in your logs. It's aimed at giving you more context to make that decision yourself.

Use Cases

Malware Detection and Analysis

  • Rapid Binary Triage: Faster decisions to pursue leads by quickly referencing binary sample names and paths if they are potential goodware
  • Suspicious File Validation: Verify the legitimacy of questionable executables found during investigations by referencing if it's PE metadata matches the indexed Description, Product Name, Company Name and Runtime Window Title

Incident Response and Forensics

  • Process Investigation: Quickly assess the legitimacy of running processes and their associated executables
  • Timeline Reconstruction: Understand the role of specific executables in attack timelines

Threat Hunting and Prevention

  • Living-off-the-Land Detection: Identify legitimate tools being used maliciously beyond the well known LOLBINs
  • Anomaly Detection: Spot and profile unusual or suspicious executables in your environment
  • Proactive Hunting: Search for indicators of compromise and potential threats
  • Environmental Baseline: Establish normal executable patterns for your organization

System Administration and Compliance

  • Compliance Validation: Verify that only authorized software is running in your environment

Usage Guidelines

Best Practices for Usage

  • File Name First: Always start with a direct file name lookup for faster results
  • File Path Specifics: You will see <uid>, <version>, <arch>, <hash>,<lang> in file paths. Just like how file hashes change - so do windows executable file directories. To reduce this noise, as the underlying files are the same, we have done the leg work as much as we could for you to not be bothered by file paths that look like _31bf3856ad364e_v4.0_4.0.0.0__b03f5f7f11d50a3a_8wekyb3d8bbwe_amd64_pt-PT and more like c:\program files\windowsapps\microsoft.office.onenote_<version><arch>_<uid>\<lang>\msointl30_winrt.dll
  • Context Matters: Consider the context within which the file's behaviour is observed and if it's expected for the user and their process execution sequence
  • Regular Updates: Check files regularly as threat intelligence is constantly updated

Integration Capabilities (COMING SOON)

  • SIEM Integration: Real-time file reputation checking for security alerts
  • Threat Intelligence Platforms: Export findings to TIP platforms for broader correlation
  • Incident Response Tools: Direct integration with IR platforms and case management systems

Token Pricing Breakdown

Basic Lookup Operations

  • Search or Filter: 1 tokens - ever search or filtering operation returns a maximum of 100 matches and consumes 1 token.

Why These Costs: A minimal token usage is applied to not overcharge customers for the operation and to protect the service from excessive querying implications. An upper limit is put on the returned volume of results, as filtering should take precedence over exploratory work for the prupose of time efficiency.

Performance Expectations

All requests are expected to return a result in the lower milliseconds range depending on network latency.

Windows Event Log Analyzer

Advanced Windows Event Log (EVTX) analysis and forensic investigation module for cybersecurity professionals and system administrators.

Sigma Playground

Interactive Sigma detection rule development, testing, and validation platform for cybersecurity detection engineering.