Volatility 2.6 Memory Analysis with Cobalt Strike Scan

Volatility Memory Analysis - Fast Action

Lab Info:

Kali 2020.2 from https://www.osboxes.org/kali-linux/
How to run Kali 2020.2 VMWare Image .vmdk on a VM: https://kb.vmware.com/s/article/2010196

Sample profile = Win2008SP1x64

Image Info

Check Image Info

volatility -f memory.mem imageinfo

#to see the volatility profiles - also, if the Image is big, skip the imageinfo command and try to find the profile using

volatility --info | grep Win

Network

volatility -f memory.mem --profile=Win2008SP1x64 netscan

volatility -f memory.mem --profile=Win2008SP1x64 connections

volatility -f memory.mem --profile=Win2008SP1x64 connscan

#Export network traffic

bulk_extractor -E net -o exported_files/ memory.mem

#See the unique IP addresses

tshark -T fields -e ip.addr -r exported_files/packets.pcap | sort -u

Timeline

volatility -f memory.mem --profile=Win2008SP1x64 timeliner | grep 2021 > timeliner.txt

sort -k 1,2 timeliner.txt | less

Processes & Dlls & Dll Dump

volatility -f memory.mem --profile=Win2008SP1x64 psscan

volatility -f memory.mem --profile=Win2008SP1x64 pstree

volatility -f memory.mem --profile=Win2008SP1x64 psxview

volatility -f memory.mem --profile=Win2008SP1x64 dlllist -p 592

volatility -f memory.mem --profile=Win2008SP1x64 memdump -p 592 --dump-dir= exported_files/

File Scan

volatility -f memory.mem --profile=Win2008SP1x64 filescan | grep malicious_exe

volatility -f memory.mem --profile=Win2008SP1x64 filescan | grep PsExec --ignore-case

YARA Scan

volatility -f memory.mem --profile=Win2008SP1x64 yarascan -Y "malicious_domain"

Strings

strings memory.mem | grep malicious_domain --ignore-case

strings exported_files/* | grep malicious_domain --ignore-case

Consoles

volatility -f memory.mem --profile=Win2008SP1x64 consoles

volatility -f memory.mem --profile=Win2008SP1x64 cmdscan

volatility -f memory.mem --profile=Win2008SP1x64 cmdline

Mutant Scan

volatility -f memory.mem --profile=Win2008SP1x64 mutantscan

#On a process handle

volatility -f memory.mem --profile=Win2008SP1x64 handles -p 592 -t Mutant

Other Plugins

#New plugins from:

https://github.com/superponible/volatility-plugins

volatility --plugins=/home/osboxes/volatility-plugins-master/ -f memory.mem --profile=Win2008SP1x64 powersh

volatility --plugins=/home/osboxes/volatility-plugins-master/ -f memory.mem --profile=Win2008SP1x64 autoruns

volatility --plugins=/home/osboxes/volatility-plugins-master/ -f memory.mem --profile=Win2008SP1x64 uninstallinfo

volatility --plugins=/home/osboxes/volatility-plugins-master/ -f memory.mem --profile=Win2008SP1x64 chromehistory

volatility --plugins=/home/osboxes/volatility-plugins-master/ -f memory.mem --profile=Win2008SP1x64 firefoxhistory

Cobalt Strike Scan

Download:

https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py

sudo su

[sudo] password for osboxes: osboxes.org

mv cobaltstrikescan.py /usr/lib/python2.7/dist-packages/volatility/plugins/malware

python vol.py [cobaltstrikescan | cobaltstrikeconfig ] -f memory.mem --profile=Win7SP1x64

Further information: https://github.com/volatilityfoundation

by dfirist@gmail.com

Dfirist

Search This Blog

Volatility 2.6 Memory Analysis with Cobalt Strike Scan

Comments

Post a Comment