📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Velociraptor Volatility Exercise
  • 1. Introduction
  • 2. Create memorydump with velociraptor
  • 3. Analyze memorydump with volatility2
  • 3.1 list processes
  • 3.2 Get path of a specific process
  • 3.3 Find potential malware
  • 4. Analysis with Velociraptor

Was this helpful?

  1. Live Response
  2. Windows Response LAB

Volatility Analysis

PreviousDetect persistence

Last updated 2 years ago

Was this helpful?

Velociraptor Volatility Exercise

1. Introduction

You suspect that the attacker has also launched a malicious process on WS1. You need to identify it. To analyze WS1, you will be taking a memory snapshot of the VM and analyze it with Volatility.

For information on how to use Volatility, refer to the Volatility Wiki, the Command Reference and the Volatility Cheatsheet (both available on the Wiki) are particularly useful.

2. Create memorydump with velociraptor

To create a memory snapshot, you can use the Artifact Windows.Memory.Acquisition. This Artifact takes a while to complete and will significantly slow down the target machine during execution (unless limited in the Hunt options, which we don't recommend in this instance as it makes the execution time take even longer). Because of this, increase the Max Execution Time in Seconds to 1200 (20 min) or more when you create the Hunt.

The entire dump (around 7.5 GB) will then be uploaded to C:\Windows\Temp\clients\<clientid>\collections\<flowid>\uploads\file\ as PhysicalMemory.raw.

Under options set a maximum duration of 20min and filesize of 8GB

This took a while and we can find the memorydump in the results tab under uploaded files:

Now we can go ahead with volatility to analyze the snapshot.

3. Analyze memorydump with volatility2

For each command with volatility we need the OS parameter first. This can be done with the command: .\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw imageinfo

As we know that WS1 is a Server with high probability the best one is Win2016x64_14393

3.1 list processes

To list all the processes we can use the psscan and pstree command. I prefere the pstree command because we can see the parent and child processes which give me a better overview!

.\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw --profile=Win2016x64_14393 pstree

Here I took notice of two things. PSExec is running as service on WS1 and a running svchost.exe without parent process. Let's have a quick look on the SANS Poster:

According to the poster, the Image path of svchost.exe should be C:\Windows\System32\svchost.exe and it should be started with a -k argument. Find out what those variables are for the suspicious process.

3.2 Get path of a specific process

The reveal the path of a specific process we can use the command cmdline .\volatility_2.6_win64_standalone.exe -f .\PhysicalMemory.raw --profile=Win2016x64_14393 malfind -p 2332

3.3 Find potential malware

volatility can find potential malware with the malfind command

4. Analysis with Velociraptor

Analogous to Volatility's pslist and pstree, Velociraptor has the Artifacts Windows.System.Pslist and Windows.System.Pstree. Windows.System.Pslist additionally also shows you the CommandLine and Image path (labeled Exe) that required the use of cmdline in Volatility.

There also exists the Artifact Windows.Attack.ParentProcess, which would detect wrong parent processes (such as is the case with our svchost.exe). But since the parent process no longer exists, and thus its name cannot be resolved, the malicious process is not listed. Likewise, the Artifact Windows.System.SVCHost should detect it, but does not because the parent is no longer alive.

Let's use the artifact Windows.Network.NetstatEnriched

I did set a filter for svchost.exe and launch the artifact:

Results: