npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- An endpoint has been contained during an active incident and volatile evidence must be preserved
- EDR alerts suggest process injection or fileless malware that only exists in memory
- Encryption keys need to be recovered from a ransomware-infected system before shutdown
- Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
- A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient
Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.
Prerequisites
- Memory acquisition tool deployed or available: WinPmem, Magnet RAM Capture, DumpIt, or AVML (Linux)
- Volatility 3 installed with Python 3.8+ and required symbol tables
- Sufficient storage for memory dumps (equal to system RAM size, typically 8-64 GB)
- YARA rules for malware detection in memory (Florian Roth's signature-base, custom rules)
- Reference baseline of normal processes and DLLs for the OS version being analyzed
- Chain of custody documentation for evidence handling
Workflow
Step 1: Acquire Memory Image
Capture RAM from the target system using a forensically sound method:
Windows (WinPmem):
winpmem_mini_x64.exe output.rawWindows (Magnet RAM Capture):
MagnetRAMCapture.exe
# GUI-based, select output path, generates .raw fileWindows (DumpIt):
DumpIt.exe
# Creates memory dump in current directory automaticallyLinux (AVML - Acquire Volatile Memory for Linux):
./avml output.limeDocument acquisition metadata:
Acquisition Record:
━━━━━━━━━━━━━━━━━
Target Host: WKSTN-042
RAM Size: 16 GB
Dump File: WKSTN-042_20251115_1445.raw
Dump Size: 16,843,612,160 bytes
SHA-256: a4b3c2d1e5f6...
Acquisition Tool: WinPmem 4.0
Acquired By: [Analyst Name]
Timestamp: 2025-11-15T14:45:00ZStep 2: Identify the Operating System and Profile
Volatility 3 automatically identifies the OS, but verify:
# Get system information
vol -f WKSTN-042_20251115_1445.raw windows.info
# Output includes:
# OS: Windows 10 22H2 (Build 19045.3693)
# Kernel Base: 0xf8066c200000
# DTB: 0x1aa000
# Symbols: ntkrnlmp.pdbStep 3: Analyze Running Processes
Examine the process tree for suspicious activity:
# List all running processes
vol -f memory.raw windows.pslist
# Show process tree (parent-child relationships)
vol -f memory.raw windows.pstree
# Scan for hidden/unlinked processes (rootkit detection)
vol -f memory.raw windows.psscan
# Compare pslist vs psscan to find hidden processes
# Processes in psscan but NOT in pslist may be hidden by rootkitsKey indicators of compromise in process analysis:
svchost.exerunning without-kparameter or with wrong parent (should beservices.exe)csrss.exeorlsass.exewith abnormal parent process- Processes with misspelled names (
scvhost.exe,lssas.exe) - Unusual processes spawned by
outlook.exe,winword.exe, orexcel.exe - Multiple instances of processes that should be singletons (
lsass.exe,smss.exe)
Step 4: Investigate Network Connections
Extract active and recently closed network connections:
# List all network connections
vol -f memory.raw windows.netscan
# Focus output fields:
# Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
# 0xe10... TCPv4 10.1.5.42 49721 185.220.101.42 443 ESTAB 3847 update.exeCross-reference suspicious connections with the process tree to identify C2 communications. Look for:
- Connections to external IPs from unexpected processes
- High port numbers connecting to port 443/80 from non-browser processes
- Connections from
svchost.exeor system processes to external IPs
Step 5: Detect Process Injection and Malware
Use malfind to identify injected code and memory-resident malware:
# Detect injected code in processes
vol -f memory.raw windows.malfind
# Output shows:
# PID Process Start End Tag Protection Hexdump/Disassembly
# 3847 explorer.exe 0x2a10000 0x2a14000 VadS PAGE_EXECUTE_READWRITE
# MZ header detected - injected PE
# Dump suspicious process memory
vol -f memory.raw windows.memmap --pid 3847 --dump
# List DLLs loaded by a suspicious process
vol -f memory.raw windows.dlllist --pid 3847
# Scan memory with YARA rules
vol -f memory.raw windows.yarascan --yara-file malware_rules.yarStep 6: Extract Credentials and Artifacts
Recover sensitive data from memory:
# Dump registry hives from memory (for password hash extraction)
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.hashdump
# Extract command line history
vol -f memory.raw windows.cmdline
# List handles (files, registry keys, mutexes)
vol -f memory.raw windows.handles --pid 3847
# Extract clipboard contents
vol -f memory.raw windows.clipboard
# Dump cached files from memory
vol -f memory.raw windows.dumpfiles --pid 3847Step 7: Generate Forensic Report
Compile findings into a structured analysis report documenting all evidence extracted from memory:
- Process anomalies with PIDs, parent processes, and timestamps
- Network connections with associated process context
- Injected code regions with memory protection flags
- Extracted IOCs (hashes, IPs, domains, mutexes, registry keys)
- YARA rule matches with rule names and match offsets
- Credential exposure (hashes found, accounts at risk)
Key Concepts
| Term | Definition |
|---|---|
| Volatile Evidence | Data that exists only in RAM and is lost when a system is powered off; includes running processes, network connections, encryption keys |
| Process Injection | Technique where malware inserts code into a legitimate process's memory space to evade detection (malfind detects this) |
| EPROCESS | Windows kernel data structure representing a process; psscan searches for these structures even when unlinked from the active process list |
| VAD (Virtual Address Descriptor) | Windows kernel structure tracking memory regions allocated to a process; malfind examines VADs for executable but non-file-backed regions |
| Symbol Tables | OS-specific data structures that Volatility 3 uses to parse memory; downloaded automatically based on detected OS version |
| PAGE_EXECUTE_READWRITE | Memory protection flag indicating a region is readable, writable, and executable; common indicator of injected malicious code |
| Memory-Resident Malware | Malware that operates entirely in RAM without writing persistent files to disk, making it invisible to traditional disk-based antivirus |
Tools & Systems
- Volatility 3: Primary open-source memory forensics framework; Python 3 rewrite with automatic symbol resolution
- WinPmem / DumpIt / Magnet RAM Capture: Memory acquisition tools for Windows systems
- AVML (Acquire Volatile Memory for Linux): Microsoft's open-source Linux memory acquisition tool
- YARA: Pattern matching engine for scanning memory dumps against malware signatures and behavioral rules
- MemProcFS: Memory analysis tool that presents memory as a virtual file system for intuitive browsing
Common Scenarios
Scenario: Detecting Cobalt Strike Beacon in Memory
Context: EDR detects suspicious named pipe activity but cannot identify the source. A memory dump is acquired from the suspect endpoint for analysis.
Approach:
- Run
windows.pstreeto identify the process hierarchy and spot abnormal parent-child relationships - Run
windows.malfindto detect injected code regions, particularly insvchost.exeorrundll32.exe - Dump the injected memory region and scan with YARA rules for Cobalt Strike beacon signatures
- Run
windows.netscanto identify C2 connections and correlate with the injected process PID - Extract the beacon configuration (C2 URLs, sleep time, jitter, watermark) using CobaltStrikeParser
- Run
windows.cmdlineto identify any post-exploitation commands executed
Pitfalls:
- Analyzing only the process list without running malfind (missing injected code in legitimate processes)
- Not capturing memory before isolating the endpoint (EDR containment may trigger malware self-deletion)
- Using Volatility 2 profiles instead of Volatility 3 automatic symbol resolution on newer Windows versions
Output Format
MEMORY FORENSICS ANALYSIS REPORT
==================================
Incident: INC-2025-1547
Evidence File: WKSTN-042_20251115_1445.raw
SHA-256: a4b3c2d1e5f6...
OS Identified: Windows 10 22H2 (Build 19045)
Analysis Tool: Volatility 3.2.0
PROCESS ANOMALIES
PID Process Parent Anomaly
3847 update.exe powershell Suspicious executable in Temp directory
5102 svchost.exe explorer Wrong parent (expected services.exe)
--- [hidden] --- Found in psscan but not pslist
INJECTED CODE
PID Process Address Range Protection Finding
5102 svchost.exe 0x00A10000-0x00A14 PAGE_EXECUTE_READWRITE MZ header (PE injection)
NETWORK CONNECTIONS
PID Process Local Foreign State
3847 update.exe 10.1.5.42:49721 185.220.101.42:443 ESTABLISHED
5102 svchost.exe 10.1.5.42:51003 91.215.85.17:8443 ESTABLISHED
YARA MATCHES
Rule: CobaltStrike_Beacon_x64
Match PID: 5102 (svchost.exe)
Offset: 0x00A10240
EXTRACTED IOCS
Hashes: [SHA-256 of dumped injected code]
C2 IPs: 185.220.101.42, 91.215.85.17
C2 Domains: [extracted from beacon config]
Mutexes: Global\MSCTF.Shared.MUTEX.ZRQReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.3 KB
API Reference: Memory Forensics Agent (Volatility 3)
Overview
Automates memory forensics analysis using Volatility 3: process listing, network connections, process injection detection, command line extraction, and hidden driver/rootkit detection.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| volatility3 | >=2.0 | Memory forensics framework (subprocess) |
CLI Usage
python agent.py --memory-file memory.raw --output forensics_report.jsonKey Functions
run_volatility(memory_file, plugin, extra_args)
Executes a Volatility 3 plugin via subprocess and parses tab-delimited output into dictionaries.
analyze_processes(memory_file)
Runs windows.pslist and flags processes matching known offensive tools (mimikatz, cobalt, meterpreter, psexec).
analyze_network_connections(memory_file)
Runs windows.netscan to extract network connections and filters for ESTABLISHED state.
detect_process_injection(memory_file)
Runs windows.malfind to detect injected code in process memory (RWX pages with executable content).
analyze_dlls(memory_file, pid)
Lists loaded DLLs for a specific process or all processes via windows.dlllist.
extract_command_history(memory_file)
Runs windows.cmdline and flags suspicious patterns (encoded PowerShell, credential dumping, LOLBins).
check_kernel_modules(memory_file)
Compares windows.modules with windows.driverscan to detect hidden/rootkit drivers.
Volatility 3 Plugins Used
| Plugin | Purpose |
|---|---|
windows.pslist |
List running processes |
windows.netscan |
Extract network connections |
windows.malfind |
Detect process injection |
windows.dlllist |
List loaded DLLs |
windows.cmdline |
Extract command line arguments |
windows.registry.hivelist |
List registry hives |
windows.modules |
List kernel modules |
windows.driverscan |
Scan for driver objects |
Suspicious Process Indicators
Processes flagged: mimikatz, procdump, psexec, cobalt, beacon, meterpreter, nc.exe, ncat, certutil, bitsadmin, mshta, regsvr32, wscript, cscript.
Suspicious Command Patterns
Commands flagged: powershell -enc, invoke-expression, downloadstring, net user, sekurlsa, lsadump, reg save, vssadmin, certutil -urlcache, bitsadmin /transfer.
Scripts 1
agent.py6.6 KB
#!/usr/bin/env python3
"""Memory Forensics Agent - Automates Volatility 3 analysis of memory dumps for incident response."""
import json
import logging
import argparse
import subprocess
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def run_volatility(memory_file, plugin, extra_args=None):
"""Execute a Volatility 3 plugin and return parsed output."""
cmd = ["vol", "-f", memory_file, plugin]
if extra_args:
cmd.extend(extra_args)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
if result.returncode != 0:
logger.error("Volatility plugin %s failed: %s", plugin, result.stderr[:200])
return []
lines = result.stdout.strip().split("\n")
if len(lines) < 2:
return []
headers = [h.strip() for h in lines[0].split("\t")]
rows = []
for line in lines[1:]:
if line.strip() and not line.startswith("*"):
fields = [f.strip() for f in line.split("\t")]
if len(fields) == len(headers):
rows.append(dict(zip(headers, fields)))
logger.info("Plugin %s returned %d rows", plugin, len(rows))
return rows
def analyze_processes(memory_file):
"""List running processes and identify suspicious ones."""
processes = run_volatility(memory_file, "windows.pslist")
suspicious = []
suspicious_names = [
"mimikatz", "procdump", "psexec", "cobalt", "beacon", "meterpreter",
"nc.exe", "ncat", "powershell", "cmd.exe", "wscript", "cscript",
"certutil", "bitsadmin", "mshta", "regsvr32",
]
for proc in processes:
name = proc.get("ImageFileName", "").lower()
if any(s in name for s in suspicious_names):
proc["suspicious_reason"] = "Known offensive tool"
suspicious.append(proc)
logger.info("Processes: %d total, %d suspicious", len(processes), len(suspicious))
return processes, suspicious
def analyze_network_connections(memory_file):
"""Extract network connections and identify C2 communication."""
connections = run_volatility(memory_file, "windows.netscan")
established = [c for c in connections if c.get("State") == "ESTABLISHED"]
logger.info("Network connections: %d total, %d established", len(connections), len(established))
return connections, established
def detect_process_injection(memory_file):
"""Detect process injection using malfind plugin."""
malfind_results = run_volatility(memory_file, "windows.malfind")
injected = []
for entry in malfind_results:
injected.append({
"pid": entry.get("PID", ""),
"process": entry.get("Process", ""),
"start_vpn": entry.get("Start VPN", ""),
"protection": entry.get("Protection", ""),
"tag": entry.get("Tag", ""),
})
logger.info("Malfind: %d potential injections detected", len(injected))
return injected
def analyze_dlls(memory_file, pid=None):
"""List loaded DLLs for a process or all processes."""
args = ["--pid", str(pid)] if pid else None
dlls = run_volatility(memory_file, "windows.dlllist", args)
return dlls
def extract_command_history(memory_file):
"""Extract command line history from process memory."""
cmdline = run_volatility(memory_file, "windows.cmdline")
suspicious_cmds = []
indicators = [
"powershell -enc", "invoke-expression", "downloadstring", "net user",
"mimikatz", "sekurlsa", "lsadump", "reg save", "vssadmin",
"certutil -urlcache", "bitsadmin /transfer",
]
for entry in cmdline:
args = entry.get("Args", "").lower()
if any(ind in args for ind in indicators):
entry["suspicious_reason"] = "Suspicious command pattern"
suspicious_cmds.append(entry)
logger.info("Command lines: %d total, %d suspicious", len(cmdline), len(suspicious_cmds))
return cmdline, suspicious_cmds
def extract_registry_hives(memory_file):
"""List registry hives in memory."""
hives = run_volatility(memory_file, "windows.registry.hivelist")
logger.info("Registry hives: %d found", len(hives))
return hives
def check_kernel_modules(memory_file):
"""List kernel modules and detect potential rootkits."""
modules = run_volatility(memory_file, "windows.modules")
drivers = run_volatility(memory_file, "windows.driverscan")
hidden = []
module_names = {m.get("Name", "").lower() for m in modules}
for driver in drivers:
if driver.get("Name", "").lower() not in module_names:
hidden.append(driver)
logger.warning("Hidden driver detected: %s", driver.get("Name"))
return modules, hidden
def generate_forensics_report(memory_file, processes, suspicious_procs, connections,
injections, suspicious_cmds, hidden_drivers):
"""Generate memory forensics analysis report."""
report = {
"memory_image": memory_file,
"analysis_timestamp": datetime.utcnow().isoformat(),
"process_summary": {
"total": len(processes),
"suspicious": len(suspicious_procs),
"details": suspicious_procs[:20],
},
"network_connections": {
"established": len(connections),
"details": connections[:20],
},
"process_injection": {
"count": len(injections),
"details": injections[:20],
},
"suspicious_commands": suspicious_cmds[:20],
"hidden_drivers": hidden_drivers,
}
total_findings = len(suspicious_procs) + len(injections) + len(suspicious_cmds) + len(hidden_drivers)
print(f"MEMORY FORENSICS REPORT - {total_findings} findings")
return report
def main():
parser = argparse.ArgumentParser(description="Memory Forensics Agent (Volatility 3)")
parser.add_argument("--memory-file", required=True, help="Path to memory dump file")
parser.add_argument("--output", default="memory_forensics_report.json")
args = parser.parse_args()
processes, suspicious = analyze_processes(args.memory_file)
connections, established = analyze_network_connections(args.memory_file)
injections = detect_process_injection(args.memory_file)
cmdlines, suspicious_cmds = extract_command_history(args.memory_file)
modules, hidden = check_kernel_modules(args.memory_file)
report = generate_forensics_report(
args.memory_file, processes, suspicious, established,
injections, suspicious_cmds, hidden,
)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()