a bit of an older read, but still good: There’s Something About WMI
And finally the whitepaper that got me on this little reading excursion today: Beyond Malware
So I have been using volatility for a little bit now, and I wanted to drop some basic things that I do for others if they are interested. This post is like many others on this site, in that it is more notes for myself that I am willing to share with others.
Some initial plugins to use:
I generally start any look in memory with the process plugins; pslist, psscan, psxview, and pstree. I generally pipe all of these commands to a text file that I can grep through later at my leisure. Sometimes you don’t see anything in the initial scan of the output, but later in the investigation you want to go back and re-look at those results.
vol.py –f memory.file –profile=profile_choice pslist >> pslist.txt
After these commands, I usually don’t wait, and just dump all of the processes that I can. For this we use “procdump”. After this I generally hash all of the files, with both SHA1 and MD5 just so I have them. I generally push the dumped processes against Virus Total to see if there are any hits. Didier Stevens has a great set of scripts to do this, so mad props to him! You can get a lot of false positives doing this, but it can also help by giving you an idea of which PIDs to pay attention to in the first place.
vol.py –f memory.file –profile=profile_choice procdump –D pdump >> pdump.txt
After this, “malfind” becomes my next plugin of choice. I still pipe this into a text file and then do some ‘grepping’ against it later. I always add the dump option, so I don’t have to run it again later.
vol.py –f memory.file –profile=profile_choice malfind –D malfind >> malfind.txt
cat malfind.txt | grep –B4 MZ
From here I can see what PIDs have had something injected into them potentially. It is important to note, that you can get false positives here. Especially where AV is concerned. I have also seen some endpoint management suites (Altiris) corrupt these results a little bit, so it is important to know what your normal memory footprint is like on your standard image. (Assuming you have a standard image.) If you get any hits, this is where you can go back to your process files and see more info about any PIDs you might find in malfind.
Some other fun plugins that I use are: “filescan”, “dlllist”, “dlldump”, “mftparser”, “netscan”, & “moddump”
There are a wide variety of Browser plugins now in volatility that can give you lots of good information, so practicing with those is also recommended.
1 – Host Unreachable
2 – Protocol Unreachable
3 – Port Unreachable
9 – Communication with destination network prohibited
10 – Communication with destination host prohibited
13 – Communication administratively prohibited