Volatility Analysis

Velociraptor Volatility Exercise

1. Introduction

You suspect that the attacker has also launched a malicious process on WS1. You need to identify it. To analyze WS1, you will be taking a memory snapshot of the VM and analyze it with Volatility.

For information on how to use Volatility, refer to the Volatility Wiki, the Command Reference and the Volatility Cheatsheet (both available on the Wiki) are particularly useful.

2. Create memorydump with velociraptor

To create a memory snapshot, you can use the Artifact Windows.Memory.Acquisition. This Artifact takes a while to complete and will significantly slow down the target machine during execution (unless limited in the Hunt options, which we don't recommend in this instance as it makes the execution time take even longer). Because of this, increase the Max Execution Time in Seconds to 1200 (20 min) or more when you create the Hunt.

The entire dump (around 7.5 GB) will then be uploaded to C:\Windows\Temp\clients\<clientid>\collections\<flowid>\uploads\file\ as PhysicalMemory.raw.

Under options set a maximum duration of 20min and filesize of 8GB

This took a while and we can find the memorydump in the results tab under uploaded files:

Now we can go ahead with volatility to analyze the snapshot.

3. Analyze memorydump with volatility2

For each command with volatility we need the OS parameter first. This can be done with the command: .\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw imageinfo

As we know that WS1 is a Server with high probability the best one is Win2016x64_14393

3.1 list processes

To list all the processes we can use the psscan and pstree command. I prefere the pstree command because we can see the parent and child processes which give me a better overview!

.\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw --profile=Win2016x64_14393 pstree

Here I took notice of two things. PSExec is running as service on WS1 and a running svchost.exe without parent process. Let's have a quick look on the SANS Poster:

According to the poster, the Image path of svchost.exe should be C:\Windows\System32\svchost.exe and it should be started with a -k argument. Find out what those variables are for the suspicious process.

3.2 Get path of a specific process

The reveal the path of a specific process we can use the command cmdline .\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw --profile=Win2016x64_14393 malfind -p 2332

3.3 Find potential malware

volatility can find potential malware with the malfind command

4. Analysis with Velociraptor

Analogous to Volatility's pslist and pstree, Velociraptor has the Artifacts Windows.System.Pslist and Windows.System.Pstree. Windows.System.Pslist additionally also shows you the CommandLine and Image path (labeled Exe) that required the use of cmdline in Volatility.

There also exists the Artifact Windows.Attack.ParentProcess, which would detect wrong parent processes (such as is the case with our svchost.exe). But since the parent process no longer exists, and thus its name cannot be resolved, the malicious process is not listed. Likewise, the Artifact Windows.System.SVCHost should detect it, but does not because the parent is no longer alive.

Let's use the artifact Windows.Network.NetstatEnriched

I did set a filter for svchost.exe and launch the artifact:

Results: