Memory Forensics

27 bookmarks
Custom sorting
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images - GitHub - csababarta/memory-baseliner: M...
·github.com·
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
Analyzing and detecting web shells
Analyzing and detecting web shells
Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i’ve been…
·tstillz.medium.com·
Analyzing and detecting web shells
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory [Hale Ligh, Michael, Case, Andrew, Levy, Jamie, Walters, AAron] on Amazon.com. FREE shipping on qualifying offers. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
·amazon.com·
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software [Sikorski, Michael, Honig, Andrew] on Amazon.com. FREE shipping on qualifying offers. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
·amazon.com·
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Windows DLL Injection Basics
Windows DLL Injection Basics
By Brad Antoniewicz. DLL Injection is one of those things I've always sort of knew about but never actually implemented. Probably be...
·blog.opensecurityresearch.com·
Windows DLL Injection Basics
Ten process injection techniques: A technical survey of common and trending process injection techniques
Ten process injection techniques: A technical survey of common and trending process injection techniques
Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process.
·elastic.co·
Ten process injection techniques: A technical survey of common and trending process injection techniques
Some thoughts about Windows Userland Rootkits
Some thoughts about Windows Userland Rootkits
Rootkits are tools and techniques used to hide malicious modules from being noticed by system monitoring. Usually this kind of techniques involves kernel modifications, but (especially on windows systems) appear also in user-mode context, but still enabled to hiding their processes, injected modules, registry keys, files, window, handles etc. User-mode rootkits are not as stealthy as kernel-mode, but due to their simplicity of implementation they are much more spread: that’s why it is good to know how they works. The Protection Rings Protection rings, are mechanisms to protect data and functionality from faultsand malicious behaviour.A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged to least privileged: on most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Attribution: Hertzsprung at English Wikipedia Userland rootkits runs on Ring 3, where user apps run, and since this is where every untrustworthy program runs, operating systems give this layer the least privilege that makes detection much easier using techniques based on heuristic, signatures and anomaly detection. However, this does not mean that it is simple to detect the userland rootkits: the main goal of a rootkit is hideing itself and sustaining the administrator privileges for it's functioning. Indeed rootkits need elevated privileges, but they are not the tools that provide the attackers with administrator privileges: this means that before a userland rootkit is entering the system, the attacker have already breached into the system and have performed privilege escalation and finally installed the rootkit, which retains the elevated privilege. IAT Hooking and Inline Hooking Userland rootkits uses hooking techniques in order to hide itself, usually IAT Hooking and Inline Hooking. The Import Address Table (IAT) is comprised of function pointers, and is used to get the addresses of functions when the DLLs are loaded. Applicationa are usually designed so that all API calls will not use direct hardcoded addresses but rather work through a function pointer. https://www.youtube.com/watch?v=-R0EKFzoEeg IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, Inline Hooking modifies the API function itself: the general idea is to redirect a legitimate function to another, so that the malware can perform processing before and/or after the function does its. https://www.youtube.com/watch?v=9efJ8_ukxlY The hooks are placed by directly modifying code within the target function, usually by overwriting the first few bytes with a jump: this allows execution to be redirected before the function does any processing. Hooking Detection The most used technique in order to hunting userland rootkits is (obviously) the hooking detection: hooking is the main vehicle used by userland rootkits for hiding their presence on a system, so it seems only natural that looking for system hooks could itself be used to identify the presence of a rootkit on a system. https://www.youtube.com/watch?v=CWZ-dShnBFA A lot of standard antimalware solutions already support this kind of protection, however sometime could be useful a specific tool that allows the analyst to deep-dive into a process' hooks, like GMER or HookExplorer. References and further readings Protection Ring GMER Homepage HookExplorer repository on GitHub IAT-Hooking-Revisited What are the methods to find hooked functions and APIs? - Information Security Stack Exchange
·andreafortuna.org·
Some thoughts about Windows Userland Rootkits
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - GitHub - hasherezade/hollows_hunter: ...
·github.com·
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use the...
·github.com·
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
Naming Files, Paths, and Namespaces (Windows)
Naming Files, Paths, and Namespaces (Windows)
All file systems supported by Windows use the concept of files and directories to access data stored on a disk or device.
·msdn.microsoft.com·
Naming Files, Paths, and Namespaces (Windows)
Lee Holmes | Extracting Forensic Script Content from PowerShell Process Dumps
Lee Holmes | Extracting Forensic Script Content from PowerShell Process Dumps
After posting Extracting Activity History from PowerShell Process Dumps, I got an interesting follow up question: “Is it possible to extract the content of scripts (from disk) that were executed, even if those files were not captured?” The answer is “Yes”, but it’s also complicated. And to make it even more complicated, we’re going to go down a path showing how to do some of this detective work from scratch. This is going to require a lot of WinDbg automation, so for a first step, install the WinDbg module.
·leeholmes.com·
Lee Holmes | Extracting Forensic Script Content from PowerShell Process Dumps
Memory forensics: a fun hands-on introduction
Memory forensics: a fun hands-on introduction
A walkthrough for a practical workshop whose aim is to introduce enthausiasts to the world of memory forensics.
·medium.com·
Memory forensics: a fun hands-on introduction
How to Detect and Prevent impacket's Wmiexec | CrowdStrike
How to Detect and Prevent impacket's Wmiexec | CrowdStrike
This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.
·crowdstrike.com·
How to Detect and Prevent impacket's Wmiexec | CrowdStrike
FS_FindEvil · ufrisk/MemProcFS Wiki
FS_FindEvil · ufrisk/MemProcFS Wiki
The Memory Process File System. Contribute to ufrisk/MemProcFS development by creating an account on GitHub.
·github.com·
FS_FindEvil · ufrisk/MemProcFS Wiki
1768 K
1768 K
According to Wikipedia, 1768 Kelvin is the melting point of the metal cobalt. This tool decodes and dumps the configuration of Cobalt Strike beacons. You can find a sample beacon here. 1768_v0_0_3.…
·blog.didierstevens.com·
1768 K