Memory Analysis using Volatility - privs
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
privs – a volatility plugin that is used to display process privilege.
Privilege – is the permission to perform a specific task, such as debugging a process, shutting down the computer, changing the time zone, or loading a kernel driver. Before a process can enable a privilege, the privilege must be present in the process’ token. Administrators decide which privileges are present by configuring them in the Local Security Policy(LSP).
Commonly exploited privileges:
- SeBackupPrivilege – This grants read access to any file on the file system, regardless of its specified access control list (ACL). Attackers can leverage this privilege to copy locked files.
- SeDebugPrivilege – This grants the ability to read from or write to another process’ private memory space. It allows malware to bypass the security boundaries that typically isolate processes. Practically all malware that performs code injection from user mode relies on enabling this privilege.
- SeLoadDriverPrivilege – This grants the ability to load or unload kernel drivers.
- SeChangeNotifyPrivilege – This allows the caller to register a callback function that gets executed when specific files and directories change. Attackers can use this to determine immediately when one of their configuration or executable files are removed by antivirus or administrators.
- SeShutdownPrivilege – This allows the caller to reboot or shut down the system. Some infections, such as those that modify the Master Boot Record (MBR) don’t activate until the next time the system boots. Thus, you’ll often see malware trying to manually speed up the procedure by invoking a reboot.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Using the Volatility privs plugin on a process get us to know what privilege is enabled.
This can be a good use when investigating a process and what privilege does the process have.
This also answer our question if the process has the ability to operate in the kernel, that enable to load a kernel driver.
Depending on the enabled privilege, we can see what the capability of the process have.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> privs -p <PID>
#note: There are privileges that is enabled by default, those privilege that is manually enabled should we focused on.