randrada, Author at eyehatemalwares.com

Volatility Dumpfiles

Posted on July 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - dumpfiles

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

Dumpfiles – Files are cached in memory for system performance as they are accessed and used. This makes the cache a valuable source from a forensic perspective since we are able to retrieve files that were in use correctly, instead of file carving, which does not make use of how items are mapped in memory. Dumpfiles iterates through the VAD and extracts all the files that are mapped as DataSectionObject, ImageSectionObject, or SharedCacheMap.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Using the Volatility dumpfiles plugin, we can extract the file using either targeted search that matches our regex pattern or by using the physical offset address of the file of interest.

In this demo, we will be using the physical offset address to dump the file.

First, we can use Volatility filescan plugin and get the file’s equivalent physical address.

In this case, we are hunting for file name wuaumqr.exe inside our volatile memory.

Next, we use Volatility dumpfiles with -Q option.

Finally, we can view the extracted file of interest. We can now perform further analysis.

The syntax will be like:

On Windows: vol.exe -f <memorydump> –profile=<OS> dumpfiles -Q <physical_offset> -D <directory>

On Linux: python vol.py -f <memorydump> –profile=<OS> dumpfiles -Q <physical_offset> -D <directory>

#note: To get the physical address of the file, use filescan plugin from volatility.

Using the Volatility dumpfiles plugin, we can extract the file using either targeted search that matches our regex pattern or by using the physical offset address of the file of interest.

In this demo, we will be using a regex pattern to dump the file of interest.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> dumpfiles –regex .evtx$ –ignore-case -D <directory>
In Linux: python vol.py -f <memdump> –profile=<OS> dumpfiles –regex .evtx$ –ignore-case -D <directory>

What this command does is:

First, it uses regex pattern to search if there are “.evtx$” files inside our volatile memory.

Then, it uses –ignore-case to search for all strings in a non-sensitive case format.

#note: This approach dumps the mft residents that contains .evtx$ regex pattern from the volatile memory in Windows 7 and later.

MITRE ATT&CK USAGE

Posted on June 30, 2022January 22, 2025 by randrada

Introduction to Threat Hunting - MITRE ATT&CK® Framework

MITRE ATT&CK® is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. This can be used as a tool reference for the IR and Hunt team to have the details of the current APTs techniques, tactiques and procedure that are targeting the industry that they are part with.

In this discussion, we will explore how to perform a hunt using MITRE ATT&CK and do some procedural to make our hunt approach as efficient and effective as possible.

From a hunter’s perspective, it is a must to have a hunt process, developing a structural and procedural approach when hunting can help the hunters performing the task stay on track and able the hunter’s to document throughout the whole process that can be used later when delivering report.

Threat Hunting Tools

Scenario: Hunting APT38 Targeting Financial Sector

Step 1: Searching for Threat Groups

In this step, as a hunter we must identify who are those APT groups that are currently targeting your industry.

One way to do this is to effectively use a search engine: For example Google or DuckDuckGo

The image below is a result of a quick search for using “apt targeting financial sector” keyword.

Now, We landed on Mandiant[.]com APT list and use Find or Ctrl + F to speed up our search for APT of interest.

Then, we land on APT38:North Korea Threat Group that targets Financial Institutions World-Wide

#note: Steps on this discussion are similar approach when you search for specific APT that target different industries.

#note: To help you speed up the process look for “additional resources” tab on the blog posts you visit.

Step 2: Gathering Additional Resources

One great thing for hunters when hunting threat groups is that “they” are not alone, many organization and threat intelligence teams are in continuous pursuit to gather information about latest threats to be able to share it to the public that can be use by other teams for hunting.

To perform effectively as a hunter, we must look at this external sources as opportunity to expedite the process of our research.

The sample below is from Mandiant’s Threat Research Team, which gives us a full detail of how APT38 perform and structure their attack.

As a hunter, we can use this details to structure our hunt to correlate on their TTPs and for us to perform in a methodological approach.

Source: https://www.mandiant.com/resources/apt38-details-on-new-north-korean-regime-backed-threat-group

Step 3: Mapping known APT38 to MITRE ATT&CK FRAMEWORK

We’ve known our threat group of interest.

Now, we can use MITRE ATT&CK to map their TTPs. This can help us structure their attack life cycle and know how they perform their action.

Source: https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2 %2Fattack.mitre.org%2Fgroups%2FG0082%2FG0082-enterprise-layer.json

Step 4: Structuring APT38 Attack Life Cycle

Stage 1: Initial Compromise T1190

In this stage, according to Mandiant threat research team APT38 relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on system.

In most cases, APT38 gain initial foothold by these following:

- - Strategic Web Compromise
  - Apache Struts2 vulnerabilities

These type of approach exploits vulnerabilities in most web facing server.

To mitigate and monitor these exploits we can do the following:

- - Perform vulnerability scanning
  - Document all out-of-date servers for monitoring

To know all the vulnerabilities about Apache Struts2 you can visit CVE Details:

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html

Know more about Technique T1990:

https://attack.mitre.org/techniques/T1190/

Stage 2: Establish Foothold T1105

In this stage, a level 1 initial compromise is established through exploitation of out-of-date web facing server, after that just like a burglar after they successfully breached the house now they contact back to the other party awaiting for instruction.

According to Mandiant Research Team, APT38 perform technique T1105 Ingress Tool Transfer to establish foothold by exploiting a known vulnerability of an out-of date Linux servers that host Apache Struts2 that can gave RCE(Remote Code Execution). Adversaries may transfer additional tools or other files from an external system into compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through established foothold done by previous exploitation. Once established, tools from attackers can be transferred from external sources to victim devices within the compromised environment.

To hunt for artifacts on this stage:

For hunters to hunt artifacts on Windows look for:

- - copy
  - finger
  - Powershell IEX,DownloadString(),Invoke-WebRequest

For hunters to hunt artifacts on Linux & Mac look for:

- - curl
  - scp
  - sftp
  - tftp
  - rsync
  - finger
  - wget

To mitigate these approach:

Use vulnerability scanning tools to enumerate all affected and out-of-date servers, if mitigation of these servers is not possible, document all the servers for monitoring.

Use Network Intrusion Prevention

Artifacts that can be use for hunting:

Firewall Related Event: Allowed Connection

Network monitoring: In/Out traffic in non-standard port

Anti-Virus logs: Whitelisting software / Alerts

Endpoint Sessions: RDP Session, VNC, Remote tools

#note: Hunters may want to dig into endpoint or server that contacts untrusted domain or external private IP addresses.

Know more about MITRE ATT&CK Technique T1105:

https://attack.mitre.org/techniques/T1105/

Stage 3: Escalate Privilege T1003, T1110

In this stage, account with non-administrator privilege is identified mostly local and standard domain account, APT38 then elevate from a normal user account to a admin account using set of tools to perform its intention with an admin privilege.

In this stage, APT38 perform their move by using living off the land techniques and possible in memory attacks such as usage of Powersploit Mimikatz module.

Threat actors enumerate user credentials in this stage through:

- - Dumping Lsass cache: mimikatz Cred Dumping T1003
  - Dropped Account enumeration tool: SORRYBRUTE T1110

Those are some of the techniques use by APT38 to escalate and dump credentials to elevate their from a non-admin to an admin account.

To detect this type of privilege escalation attack:

- - Powershell with -En, -C, ExecPolicy -Bypass
  - Powershell Invoke-WebReqest
  - Powershell – .downloadString()

Also, Termination of Endpoint Services and Process:

- - Windows Defender
  - EDR
  - Anti-Virus

Learn more about OS Credential Dumping Technique T1003: https://attack.mitre.org/techniques/T1003/

Learn more about Brute Force Technique T1110:

https://attack.mitre.org/techniques/T1110/

Stage 4: Internal Recon and Discovery

APT38 successfully leverage from level 1 stage compromise with non-admin user account to a local administrator or domain admin account. Then, what happened in this stage is that APT38 can now perform internal recon on the level 1 compromised endpoint to map the environment and look for possible level 2 compromise jump. The next task perform by APT38 according to Mandiant Threat Research is to enumerate all possible details that can give them information about the organization’s network, processes, services, accounts, domain policies and etc.

This step is the half of the success for the APT38, allowing them to perform their operation on the compromised with an Administrator privilege, which gives them the ability to perform super user tasks.

APT38 maps different details on the network such as:

- Network Topology: arp, routeprint, wmi, net*
- Network Service: mDNS query dns-sd -B _ssh._tcp
- Users: net.exe , /etc/psswd, /Users
- System and Services: tasklist,sc,net start,systemctl
- Group Policy: Get-DomainGPO, Get-DomainGPOLocalGroup
- Firewall rules modifications: 2004,2005,5156,5146

As a hunter, we can monitor these techniques inside our network for anomalies. In such cases, for example using SIEM to monitor administrator commands such as wmi or firewall event ids that trigger when a rule was added.

E.g. Bob is a normal user of HR department but Bob’s account was caught logged in and has launched powershell.exe and has -En parameter and the time is outside of typical office hours, as a hunter this gave us a breadcrumbs that something is happening. This is a sample of a red flag that can be worth digging.

#note: For hunters, hunt for anomalies like combination of enumeration of processes and services together with user and network and then firewall modifications. An account with legitimate intention do not usually perform thee set of commands in a sequence approach, if any account usually local admin or domain-admin that execute these commands that match these anomalies then it might be worth digging.

Learn more about the following Techniques discussed:

T1046 Network Discover:

https://attack.mitre.org/techniques/T1046/

T1040 Network Sniffing:

https://attack.mitre.org/techniques/T1040/

T1007 System Service Discovery:

https://attack.mitre.org/techniques/T1007/

T1087 Account Discovery:

https://attack.mitre.org/techniques/T1087/

T1615 Group Policy Discovery:

https://attack.mitre.org/techniques/T1615/

T1082 System Information Discovery:

https://attack.mitre.org/techniques/T1082/

Stage 5: Transfer Funds & Mission Complete

In this stage, APT38 try to stay on the compromised network as stealthy as possible. As threat actors stays longer on the system the more it is hard for the analyst from them to detect, within this stage registry keys, kernel configurations, security tools might been changed which allows them to move freely without a worry for detection.

In this stage, APT38 deploy additional tools such as malware to stay hidden until their transaction is completed. This can be done by dropping rootkits and stay hidden as long as their agenda is completed.

In this stage, these threat actors maintain and persist on the system through dropped rootkit malware.

After the mission, according to Mandiant Threat Research team APT38 covers their track by performing actions like:

- - Deleting log sources
  - Firmware corruption for anti-forensic
  - Disk-wipe to hide their artifacts
  - Data Manipulation
  - Hide artifacts

This leaves the compromised organization a huge impact in business and their infrastructure.

Learn more about the following techniques discussed:

T1565 Data Manipulation:

https://attack.mitre.org/techniques/T1565/

T1564 Hide Artifacts:

https://attack.mitre.org/techniques/T1564/

T1561 Disk Wipe:

https://attack.mitre.org/techniques/T1561/

T1495 Firmware Corruption:

https://attack.mitre.org/techniques/T1495/

T1537 Transfer Data to Cloud:

https://attack.mitre.org/techniques/T1537/

TA0040 Impact:

https://attack.mitre.org/tactics/TA0040/

Step 5: Structuring a Methodological Hunt Process for APT38

Step 1: Define an Attack Scenario

In this step, we will use the information we gathered during the mapping of our threat group of interest APT38. We will use APT38’s MITRE ATT&CK TTPs that can be used to lay out our focus on where to start on our hunt process.

In this step, the hunter or a hunt team should conduct research for the current TTPs that could be use by the attackers to target your industry. This includes the following:

- - Initial compromise T1190
  - Establish Foothold T1105
  - Privilege Escalation T1003, T1110
  - Internal Recon & Discovery
  - Transfer Funds & Mission Complete

As we lay out our APT38 Attack Lifecycle, we use that define this stage and match its corresponding TTPs.

In this stage, a hunter or hunt team must also check if there are documented known vulnerabilities from unpatched software that the organization has not implemented yet due to some specific reasons.

#tip: APT almost use same TTPs of attack. Using structured hunt process is not limited to few APT but it can be applied to known APT TTPs that is mapped by MITRE ATT&CK, this can not be only on Financial Sector but also targeting different industries.(e.g use of in memory injection like Powershell with .downloadString() parameter)

#note: An effective threat hunting must follow a methodological approach rather than searching for various type of threats, the starting is to define a specific, narrowly focused threat that could be underway in the environment.

Step 2: Formulate Hypothesis

In this step, hunters assume the possibilities of an already breached and attackers have already level 1 initial foothold. The hunter assesses the goals of the APT38 based on the the APT38 Attack Life Cycle, then formulates a “guess or questions” about what are the techniques, tactique and procedures that the attackers might use and what are the possible evidences created that can reveal their activities.

In formulating a hypothesis for APT38 is like making an informed guess and asking questions like:

- “If APT38 successfully gain initial foothold, then they must have found a way, can be through exploiting a public-facing application or can through phishing.”
- “If APT38 are already performing lateral movement, they might use living off the land technique.“
- “If APT38 are already inside, they might cover their tracks by clearing the systems event logs or perform data manipulation.“
- “If adversaries are already inside, they will persist on the system through rootkits, Scheduled Tasks or Registry.“

Those are the sample of guess and questions that hunters already assume that they are breached, from formulating a hypothesis hunters can start their investigation and move to step 3 which to identify and gather evidences.

Step 3: Idenfity and Gather Evidences

In this step, hunt teams must identify and assemble the data sources they can analyze within their hunt, as they seek to find evidence or to disprove their formulated hypothesis.

In this step, hunters must document the steps including the data sources where their data comes from, to ensure that the hunt can be justified during reporting.

In performing the actual hunt process, information gathered during the mapping of our threat group APT38s Attack Life Cycle can be a good use together with MITRE ATT&CK framework. This can help hunters to know what and where to look for when diving into tons of loads of data from their source.

In this step, hunters or a hunt team must identify and gather their evidences of APT38 Attack Life Cycle through the data sources:

- - Event log management or SIEM
  - Endpoint/Server Baseline copies
  - Network/NIDS logs
  - Firewall and IPS/IDS logs

Performing a hunt with a ton of data sources can be overwhelming, this can drown the hunt team and can perform a hunt ineffectively. To patch this lurking problem, hunt team must consider that there are legitimate activities in the system performed by Administrators, what they need to look for is anomalies during its usage such as unidentified account name, time zone, enumeration and etc, and correlate it with other evidence sources. Effective threat hunting can also rely on endpoint, system, network baselines which can effectively detect if there are changes in the system or the network.

#note: not all data sources are listed. As a hunter, we must know what are the available data sources our organization have, that is why threat hunting using human analogy,reasoning and logical approach together with the presence of right technology that can be used to gather data sources makes an effective hunting. Human alone cannot perform hunting without technology because human cannot outperform technology when it comes to data parsing and its memory, they all have to work together. To sum it up, No human, organization cannot perform threat hunting. No Technology, organization cannot perform threat hunting.

Step 4: Leverage Analytics to Reveal Results

Evidences are gathered from the previous step.

In this step, gathered evidence and data is being correlated with the help of human analytical and visualization techniques, this is why threat hunting can be effectively done by human with the help of technology because the combination of these both can uncover relationships within evidences inside the data sources.

In this step, hunters must conduct comparison from the past baselines or have a quick chat with other IT teams to answer specific questions and concerns, effective threat hunting must “not live by bread alone” means that they cannot rely on their own understanding, that they need other people like IT leaders from different departments to help them correlate what they’ve found and to know its normal or malicious. Hunters on this stage must have a good understanding of what data patterns are associated with an adversary’s activity for the given stage in the attack chain and this can also be done by correlating evidences with MITRE ATT&CK framework.

Step 5: Report Results

Documentation.

In this step, hunters must present the types of evidences they collected, the techniques, tactique and procedures of how the analysis is performed during the hunt and what are the conclusions that are proved during the process.

This can be the following:

- - Uncovered Vulnerabilities
  - Detected phishing incident
  - Data Exfiltration
  - Data stolen
  - Account usage anomalies
  - Living Off The Land tools detected
  - Metrics of the hunt process
  - Root cause of compromise detected
  - Scope of affected machines, accounts and applications
  - Description of the technique revealed
  - IOC to be used to detect similar attacks
  - Lesson learned and Remediation
  - Recommendation

During this stage, reporting the data evidences presented to the management will open a discussion that can lead to incident response, patching newly uncovered vulnerabilities and improve the holes in your environment that are found during the hunt process. This will also lead to organization’s improvements such as patching blind spots and monitored the specific targets that can help future attacks and improve the whole organization’s infrastructure.

Volatility symlinkscan

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - symlinkscan

symlinkscan – a volatility plugin that is used to print symlink objects.

Symbolic Link – is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects path name resolution.

MUP (Multiple UNC provider) – is a kernel-mode component responsible for channeling all remote file system accesses using a Universal Naming Convention(UNC) name to a network redirector(the UNC provider) that is capable of handling the remote file system requests. MUP is involved when a UNC path is used by an application.

During an incident, after an attacker has successfully compromised level 1 initial access, it may conduct reconnaissance to other system, preparing for level 2 lateral movement, and this can be done by enumerating all mounted SMB shares from that local endpoint which an attacker may execute WMI, net use, and other commands.

Now, The trick to finding evidence of remote mapped drives in memory is to look for file handles prefixed with \Device\Mup and \Device\LanmanRedirector.

The example below are the artifacts using Volatility handles plugin together with Volatility symlinkscan plugin.

Typically, inside this artifact in volatile memory, when lateral movement is done by the attacker, the MUP in the handles output will contain the local drive name, the remote BIOS name and the share and file system path.

Here are the sample output for handles MUP: \Device\Mup\<drive_letter>\<net_bios_name>\<file_system_path>

You may also want to check the Process ID responsible for SMB sharing which can also be found using handles plugin.

Also, we can correlate the output from handles plugin with symlinkscan which can gives us also the local drive name and the creating time if such action is being done on the system.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> symlinkscan | findstr -i lanman

#note: You can correlate Volatility plugins results from cmdscan, consoles, handles and symlinkscan to follow the actions of the attacker, this can allow us to timeline the events during the incident.

Volatility consoles

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - consoles

consoles – a volatility plugin that is used to extract command history by scanning for _CONSOLE_INFORMATION structure.

During an incident, an attacker may perform lateral movement to gain full access to the whole organization.

For us, responders/analyst/investigator, when investigating patient zero we must know what commands are executed by the attacker to perform such attacks and what tools the attacker uses to perform lateral movement.

After running the Volatility cmdscan plugin and identifying that certain commands that are used for lateral movement is used by the attacker to compromise the system, we can then use the Volatility consoles plugin to view the command history and its output.

In this sample, we run the Volatility consoles plugin to our dumped volatile memory.

We can then see that certain commands are being executed and we can also see the output of that commands.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> consoles

#note: The result of this plugin may vary depending on the command history on the system itself. It may print a huge amount of information in which case we can extract the result and dump it to disk as a .txt file to give us a good view.

Volatility cmdscan

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - cmdscan

cmdscan – a volatility plugin that is used to extract command history by scanning for _COMMAND_HISTORY structure.

During an incident, an attacker may perform lateral movement to gain full access to the whole organization.

Using the Volatility cmdscan plugin, we can extract the command line history that can be used as breadcrumbs to follow the 2nd stage of lateral movement the attack has made.

In this sample, we execute the sample command line arguments and then dump the volatile memory and run the Volatility cmdscan plugin.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> cmdscan

#note: The result of this plugin may vary depending on the command history on the system itself. It may print a huge amount of information, in which case we can extract the result and dump it to disk as a .txt file to give us a good view.

Volatility mftparser

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - mftparser

mftparser – a volatility plugin that is used to scan for and parses potential MFT entries.

MFT – can be considered one of the most important files in the NTFS files system. It keeps records of all files in a volume, the file’s location in the directory, the physical location of the files in on the drive and the file metadata. There is at least on entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and data stamps, permissions, and data content is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.

Using Volatility mftparser plugin, it can help the investigator answer the following questions

- - What time was the attack delivered?
  - How long was the system compromised?
  - What was the first sign of lateral movement?
  - What data are exfiltrated?

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> mftparser

#note: You can use filtering like findstr or grep for this plugin as it returns huge amount of data.

#note: mftparser plugin will return huge amount of information as it prints all the file in the MFT entries, the best use is to extract the output and dump to disk as a .txt file for better analysis.

Volatility filescan

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - filescan

filescan – a volatility plugin that is used to print file objects.

In an incident, we must know what files are being extracted from the compromised systems or what file object is responsible for infecting our system, if it involves a phishing document, .exe, .dll and etc.

Using the Volatility filescan plugin, we can be able to open and search our volatile memory for opened file handles.

This file handles are in a form of .pf, .txt, .docs, .pdf, .rar, .dll and many other file objects.

In searching the volatile memory, it will print a lot of information, so the best is to dump it to disk and save it as a .txt file or if you want a quick view when using Windows OS, you can filter it by using findstr, and on Linux, you can use grep.

In this lab, we are using Windows platform and we can pipe our output to findstr to search for specific file(s).

Our syntax will be like: vol.exe -f –profile= filescan | findstr -i

Volatility privs

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - privs

privs – a volatility plugin that is used to display process privilege.

Privilege – is the permission to perform a specific task, such as debugging a process, shutting down the computer, changing the time zone, or loading a kernel driver. Before a process can enable a privilege, the privilege must be present in the process’ token. Administrators decide which privileges are present by configuring them in the Local Security Policy(LSP).

Commonly exploited privileges:

- - SeBackupPrivilege – This grants read access to any file on the file system, regardless of its specified access control list (ACL). Attackers can leverage this privilege to copy locked files.
  - SeDebugPrivilege – This grants the ability to read from or write to another process’ private memory space. It allows malware to bypass the security boundaries that typically isolate processes. Practically all malware that performs code injection from user mode relies on enabling this privilege.
  - SeLoadDriverPrivilege – This grants the ability to load or unload kernel drivers.
  - SeChangeNotifyPrivilege – This allows the caller to register a callback function that gets executed when specific files and directories change. Attackers can use this to determine immediately when one of their configuration or executable files are removed by antivirus or administrators.
  - SeShutdownPrivilege – This allows the caller to reboot or shut down the system. Some infections, such as those that modify the Master Boot Record (MBR) don’t activate until the next time the system boots. Thus, you’ll often see malware trying to manually speed up the procedure by invoking a reboot.

Using the Volatility privs plugin on a process get us to know what privilege is enabled.

This can be a good use when investigating a process and what privilege does the process have.

This also answer our question if the process has the ability to operate in the kernel, that enable to load a kernel driver.

Depending on the enabled privilege, we can see what the capability of the process have.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> privs -p <PID>

#note: There are privileges that is enabled by default, those privilege that is manually enabled should we focused on.

Volatility getsids

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - getsids

getsids – a volatility plugin that is used print the SIDs owning each process.

SID or Security Identifier – is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security.

Security Identifier helps the investigator/analyst identify lateral movement on the environment.

Typically an attacker might use an existing account or create and add a new account to administrators group. SID can help us identify what privilege this account have.

Volatility getsids plugin gives us a clear view of these artifact on our volatile memory.

In this sample, Why we investigate explorer.exe?

explorer.exe is responsible for any user interaction on the system which includes opening, reading or deleting a file and many other functionality that involves user interaction. Volatility getsids plugin can extract the account name and their SID from a process which can be a good help for investigator/analyst during Incident Response and Forensics. (It can be other process not explorer.exe this only depends on the situation you have.)

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> getsids -p <PID>

#note: If there are SID value that has no equivalent account name, the account being used might be in the remote system which volatility has no access of its details that is why it left blank.

#note: This plugin can help you to investigate critical systems, if you have an alert that an account is compromise and is being used for lateral movement you can then check the critical systems if its accessed by the compromised account.

Volatility yarascan

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - yarascan

yarascan – a volatility plugin that is used to scan process or kernel memory with Yara signatures.

Using the Volatility yarascan plugin, we can be able to speed up the process to look for interesting information by using -y option and feed it with the signature we want to find.

In the sample below, we will attempt to use “notepad.pdb” that is found inside notepad.exe process to see if yarascan able to find it inside our volatile memory.

We can see that using yarascan, it able to find the owner process and the process ID.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> yarascan -Y “<signature”

In this sample, we will investigate a volatile memory that is infected with Sinowal malware using Volatility yarascan plugin.

First, we run netscan to list for connection and retrieve network related IOCs.

Next, if valuable information is retrieved using netscan plugin we can then use it as a signature for yarascan.

In this case we have detected that our local system is connecting to outbound ip address: 108.59.6.39

Now, we can see the processes that contains this signature.

In this case both these processes has the signature:

Process name: Sinowal.exe PID: 4016

Process name: regsvr32.exe PID: 3020

We can then use the information to investigate further.