Deploy Velociraptor for persistent monitoring; use SLIC v3.2 for ad-hoc deep dives on specific hosts where you need JSON outputs not covered by Velociraptor artifacts.
Legitimate sources only:
Verification steps after download:
Get-FileHash .\slic_v3.2.ps1 -Algorithm SHA256
# Compare to: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example)
Do not run version 3.2 from any third-party file sharing site (Dropbox, Mediafire, Mega) unless you have verified the hash. slic toolkit v3.2
For malware analysts running SLIC in a sandbox, v3.2 includes an optional module that collects evidence of VM detection and sandbox artifacts (e.g., presence of VMWare tools in memory, CPUID checks). This is invaluable for understanding whether malware alters its behavior when it suspects analysis. Deploy Velociraptor for persistent monitoring; use SLIC v3
On a critical DC, you cannot install agents. SLIC Toolkit v3.2’s low footprint allows you to run: Verification steps after download: Get-FileHash
.\slic_v3.2.ps1 -Evtx Security,PowerShell -Persist -MemoryHash
This collects Kerberos TGT requests (ID 4768) and potential Golden Ticket activity without rebooting the DC.