# Volatility Analysis ## Velociraptor Volatility Exercise ### 1. Introduction You suspect that the attacker has also launched a malicious process on WS1. You need to identify it. To analyze WS1, you will be taking a memory snapshot of the VM and analyze it with Volatility. For information on how to use Volatility, refer to the Volatility Wiki, the Command Reference and the Volatility Cheatsheet (both available on the Wiki) are particularly useful. ### 2. Create memorydump with velociraptor To create a memory snapshot, you can use the `Artifact Windows.Memory.Acquisition`.\ This Artifact takes a while to complete and will significantly slow down the target machine during execution (unless limited in the Hunt options, which we don't recommend in this instance as it makes the execution time take even longer). Because of this, increase the Max Execution Time in Seconds to 1200 (20 min) or more when you create the Hunt. The entire dump (around 7.5 GB) will then be uploaded to `C:\Windows\Temp\clients\\collections\\uploads\file\` as PhysicalMemory.raw.

Under options set a maximum duration of 20min and filesize of 8GB ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FQnIPYRmK929TQ8qgKAOw%2Fartifact06.png?alt=media\&token=437aa121-9ac4-4931-8e42-c0060aba7301) This took a while and we can find the memorydump in the results tab under uploaded files: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F2MqHh0Jidzswhjn9JNcl%2Fartifact07.png?alt=media\&token=d9c0fbe2-9a11-4b55-9945-89cbd8d2d9ab) Now we can go ahead with volatility to analyze the snapshot. ### 3. Analyze memorydump with volatility2 For each command with volatility we need the OS parameter first. This can be done with the command:\ `.\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw imageinfo` As we know that WS1 is a Server with high probability the best one is `Win2016x64_14393` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FIUqsABPhkzaoOY3GOY5k%2Fprofile01.png?alt=media\&token=c2a96460-7ada-4153-a20b-deb10fb0f522) ### 3.1 list processes To list all the processes we can use the `psscan` and `pstree` command. I prefere the `pstree` command because we can see the parent and child processes which give me a better overview! `.\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw --profile=Win2016x64_14393 pstree`

Here I took notice of two things. PSExec is running as service on WS1 and a running `svchost.exe` without parent process. Let's have a quick look on the SANS Poster: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FrPvrXG2npITsIOrnbg61%2Fsvchost.png?alt=media\&token=8187b0f3-de84-4369-89ee-74da5e3e0b47) According to the poster, the Image path of svchost.exe should be `C:\Windows\System32\svchost.exe` and it should be started with a `-k argument`. Find out what those variables are for the suspicious process. ### 3.2 Get path of a specific process The reveal the path of a specific process we can use the command `cmdline` `.\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw --profile=Win2016x64_14393 malfind -p 2332` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F9B2nePxvqiHbtyukJwyX%2Fcmdline01.png?alt=media\&token=d298e38d-7f7c-4e73-ab12-d3bf5af95790) ### 3.3 Find potential malware volatility can find potential malware with the `malfind` command

### 4. Analysis with Velociraptor Analogous to Volatility's `pslist` and `pstree`, Velociraptor has the Artifacts `Windows.System.Pslist` and `Windows.System.Pstree.` Windows.System.Pslist additionally also shows you the CommandLine and Image path (labeled Exe) that required the use of cmdline in Volatility. There also exists the Artifact `Windows.Attack.ParentProcess`, which would detect wrong parent processes (such as is the case with our svchost.exe). But since the parent process no longer exists, and thus its name cannot be resolved, the malicious process is not listed. Likewise, the Artifact Windows.System.SVCHost should detect it, but does not because the parent is no longer alive. Let's use the artifact `Windows.Network.NetstatEnriched`

I did set a filter for svchost.exe and launch the artifact:

Results: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FheRV2ywmqwOgIWFhij0g%2Fartifact10.png?alt=media\&token=7c715113-d313-4fb7-8834-c8f2bbc8efad) ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Flh0UCy9US0K6R2OoPrjd%2Fartifact11.png?alt=media\&token=70e39336-55af-49cd-97db-053c45e07347)