Here is another version of the volatility bash script.
#!/bin/bash
# Script to collect information by utilizing volatility
# v0.4 - Added a loop to iterate through the plugins
# - Added svcscan, sockets, sockscan, driverscan, cachedump, timeliner, evtlogs
# - In hivelist the system file is upper or lower case depending on the profile
# - Added dlllist for each process
# - Added getsids for each process
# - Added handles for each process
# - Added ldrmodules for each process
# - Extracting the contents of the registry at Software\Microsoft\Windows\CurrentVersion\Run
# v0.3 - Updated to include mftparser
# - Added a temp directory
# v0.2 - Updated the DKOM section to include the 3 columns and not just the 1st.
#To come...
#Analyze specific registry keys that aide in an investigation
#### Configurable Settings #############
homeDir='/home/malware-analysis'
memImage="$homeDir/1bc928ac.vmem"
locVolPy='/usr/share/vol2-4/volatility-2.4/vol.py'
volProfile=''
#########################################
date
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $outputDir/dlllist
mkdir $outputDir/getsids
mkdir $outputDir/handles
mkdir $outputDir/ldrmodules
mkdir $dumpDir
mkdir $tempDir
fi
# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
# Run a variety of volatility plugins and save the output
for pluginCommand in pslist pstree psscan psxview connections connscan filescan iehistory svcscan cmdscan consoles hivelist sockets sockscan driverscan ssdt cachedump timeliner
do
echo "Running $pluginCommand and saving results to $outputDir/$pluginCommand"
python $locVolPy -f $memImage --profile=$volProfile $pluginCommand > $outputDir/$pluginCommand
done
echo "Running evtlogs and saving results to $outputDir/evtlogs"
python $locVolPy -f $memImage --profile=$volProfile evtlogs --dump-dir $outputDir
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)"
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc"
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)" > $outputDir/possibleDKOM
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc" >> $outputDir/possibleDKOM
while read line
do
pslistColumn=`echo $line | awk '{print $4}'`
psscanColumn=`echo $line | awk '{print $5}'`
thrdprocColumn=`echo $line | awk '{print $6}'`
if [ $pslistColumn == 'False' ]; then
echo "$line" >> $outputDir/possibleDKOM
fi
if [ $psscanColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
if [ $thrdprocColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
done < $outputDir/psxview
echo
echo "Running mftparser and saving results to $outputDir/mftpparser"
python $locVolPy -f $memImage --profile=$volProfile mftparser --output=body --output-file=$outputDir/mftparser.csv
mactime -b $outputDir/mftparser.csv -d -z UTC-6 > $outputDir/mftparserMactime.csv
echo "Saving the results of the hashdump to $outputDir/hashdump"
# Find the virtual address of the SYSTEM hive
while read line
do
if [[ $line == *YSTEM* ]] || [[ $line == *ystem* ]]; then
systemVAddr=`echo $line | awk '{print $1}'`
fi
done < $outputDir/hivelist
# Find the virtual address of the SAM hive
while read line
do
if [[ $line == *SAM* ]]; then
samVAddr=`echo $line | awk '{print $1}'`
fi
done < $outputDir/hivelist
python $locVolPy -f $memImage --profile=$volProfile -y $systemVAddr -s $samVAddr hashdump > $outputDir/hashdump
echo "Running malfind and saving results to $outputDir/malfind"
python $locVolPy -f $memImage --profile=$volProfile malfind --dump-dir $dumpDir > $outputDir/malfind
# Export to output/dlllist the PIDs found in the pslist output file
cat $outputDir/pslist | grep -v -e "Offset(V)" -e "------" | awk '{print $3}' > $tempDir/PIDlist
while read line
do
python $locVolPy -f $memImage --profile=$volProfile dlllist -p $line > $outputDir/dlllist/proc-$line
python $locVolPy -f $memImage --profile=$volProfile getsids -p $line > $outputDir/getsids/proc-$line
python $locVolPy -f $memImage --profile=$volProfile handles -p $line > $outputDir/handles/proc-$line
python $locVolPy -f $memImage --profile=$volProfile ldrmodules -p $line > $outputDir/ldrmodules/proc-$line
done < $tempDir/PIDlist
# With the dlllists look for unique path's
rm -f $tempDir/dlllistPaths
rm -f $tempDir/dlllistCommandline
touch $tempDir/dlllistPaths
touch $tempDir/dlllistCommandline
for file in $outputDir/dlllist/*
do
cat $file | grep "0x" | awk '{print $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' >> $tempDir/dlllistPaths
cat $file | grep "Command line :" >> $tempDir/dlllistCommandline
done
cat $tempDir/dlllistPaths | sort | uniq -c | sort -n | grep -v -i -e "windows.system32" > $outputDir/dlllist-OutsideSystem32
cat $tempDir/dlllistPaths | sort | uniq -c | sort -n | grep "1" > $outputDir/dlllist-SingleInstance
cat $tempDir/dlllistCommandline | sed 's/Command line :" //' > $outputDir/dlllist-Commandline
# With the getsids look for unique sids or something out-of-the-ordinary
rm -f $tempDir/getsids-temp-list
touch $tempDir/getsids-temp-list
for file in $outputDir/getsids/*
do
cat $file | awk -F ":" '{print $2}' >> $tempDir/getsids-temp-list
done
cat $tempDir/getsids-temp-list | sort | uniq -c | sort -n > $outputDir/getsids-list
cat $outputDir/svcscan | grep "Binary Path: " | sort | uniq -c > $outputDir/svcscan-binarypath
cat $outputDir/ldrmodules/proc-* | grep "0x" | grep "-" > $outputDir/ldrmodules-NoPathInfo
cat $outputDir/ssdt | egrep -v '(ntoskrnl | win32k)' > $outputDir/ssdt-modified
# Extract from the registry specific keys of interest
python $locVolPy -f $memImage --profile=$volProfile printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" > $outputDir/registryRunKeys
#http://digital-forensics.sans.org/blog/2010/10/20/digital-forensics-autorun-registry-keys/
#SysInternals autorun utility
date
echo
Twitter: @lokut
This blog is for educational purposes only. The opinions expressed in this blog are my own and do not reflect the views of my employers.
Sunday, September 14, 2014
Thursday, September 11, 2014
Volatility - Follow-up Analysis Script - Customize the script
You need to customize the following script based on the information gathered from the analysis.
#!/bin/bash
# Script to collect information by utilizing volatility
#### Configurable Options #######
homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
PID='1384'
dumpFileFilename='malware' # Dump the file malware.exe
######################################
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $dumpDir
mkdir $tempDir
fi
# Identify the profile found from output/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
# List the dll's associated with a PID
#python $locVolPy -f $memImage --profile=$volProfile dlllist -p $PID > $outputDir/dlllist-$PID
# Dump the file based on filename
#python $locVolPy -f $memImage --profile=$volProfile dumpfiles -r $dumpFileFilename -D $tempDir
# Find the mutants
#python $locVolPy -f $memImage --profile=$volProfile handles -p $PID > $outputDir/handles-$PID
#!/bin/bash
# Script to collect information by utilizing volatility
#### Configurable Options #######
homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
PID='1384'
dumpFileFilename='malware' # Dump the file malware.exe
######################################
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $dumpDir
mkdir $tempDir
fi
# Identify the profile found from output/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
# List the dll's associated with a PID
#python $locVolPy -f $memImage --profile=$volProfile dlllist -p $PID > $outputDir/dlllist-$PID
# Dump the file based on filename
#python $locVolPy -f $memImage --profile=$volProfile dumpfiles -r $dumpFileFilename -D $tempDir
# Find the mutants
#python $locVolPy -f $memImage --profile=$volProfile handles -p $PID > $outputDir/handles-$PID
Wednesday, September 10, 2014
Volatility Bash Script - Automate Initial Commands
Wrote a quick volatility script to automate most of the initial commands that I am running. Enjoy...
#!/bin/bash
# Script to collect information by utilizing volatility
# v0.3 - Updated to include mftparser
# - Added a temp directory
# v0.2 - Updated the DKOM section to include the 3 columns and not just the 1st.
#To come...
#Analyze specific registry keys that aide in an investigation
#### Configurable Settings #############
homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
#########################################
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $dumpDir
mkdir $tempDir
fi
# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
echo "Running pslist and saving results to $outputDir/pslist"
python $locVolPy -f $memImage --profile=$volProfile pslist > $outputDir/pslist
echo "Running pstree and saving results to $outputDir/pstree"
python $locVolPy -f $memImage --profile=$volProfile pstree > $outputDir/pstree
echo "Running psscan and saving results to $outputDir/psscan"
python $locVolPy -f $memImage --profile=$volProfile psscan > $outputDir/psscan
echo "Running psxview and saving results to $outputDir/psxview"
python $locVolPy -f $memImage --profile=$volProfile psxview > $outputDir/psxview
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)"
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc"
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)" > $outputDir/possibleDKOM
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc" >> $outputDir/possibleDKOM
while read line
do
pslistColumn=`echo $line | awk '{print $4}'`
psscanColumn=`echo $line | awk '{print $5}'`
thrdprocColumn=`echo $line | awk '{print $6}'`
if [ $pslistColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
if [ $psscanColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
if [ $thrdprocColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
done < $outputDir/psxview
echo
echo "Running connections and saving results to $outputDir/connections"
python $locVolPy -f $memImage --profile=$volProfile connections > $outputDir/connections
echo "Running connscan and saving results to $outputDir/connscan"
python $locVolPy -f $memImage --profile=$volProfile connscan > $outputDir/connscan
echo "Running filescan and saving results to $outputDir/filescan"
python $locVolPy -f $memImage --profile=$volProfile filescan > $outputDir/filescan
echo "Running iehistory and saving results to $outputDir/iehistory"
python $locVolPy -f $memImage --profile=$volProfile iehistory > $outputDir/iehistory
echo "Running cmdscan and saving results to $outputDir/cmdscan"
python $locVolPy -f $memImage --profile=$volProfile cmdscan > $outputDir/cmdscan
echo "Running consoles and saving results to $outputDir/consoles"
python $locVolPy -f $memImage --profile=$volProfile consoles > $outputDir/consoles
echo "Running mftparser and saving results to $outputDir/mftpparser"
python $locVolPy -f $memImage --profile=$volProfile mftparser --output=body --output-file=$outputDir/mftparser.csv
mactime -b $outputDir/mftparser.csv -d -z UTC-6 > $outputDir/mftparserMactime.csv
echo "Running hivelist and saving results to $outputDir/hivelist"
python $locVolPy -f $memImage --profile=$volProfile hivelist > $outputDir/hivelist
echo "Saving the results of the hashdump to $outputDir/hashdump"
# Find the virtual address of the SYSTEM hive
while read line
do
if [[ $line == *YSTEM* ]]; then
systemVAddr=`echo $line | awk '{print $1}'`
fi
done < $outputDir/hivelist
# Find the virtual address of the SAM hive
while read line
do
if [[ $line == *SAM* ]]; then
samVAddr=`echo $line | awk '{print $1}'`
fi
done < $outputDir/hivelist
python $locVolPy -f $memImage --profile=$volProfile -y $systemVAddr -s $samVAddr hashdump > $outputDir/hashdump
# Output the accounts with blank passwords...
echo "Running malfind and saving results to $outputDir/malfind"
python $locVolPy -f $memImage --profile=$volProfile malfind --dump-dir $dumpDir > $outputDir/malfind
echo
#!/bin/bash
# Script to collect information by utilizing volatility
# v0.3 - Updated to include mftparser
# - Added a temp directory
# v0.2 - Updated the DKOM section to include the 3 columns and not just the 1st.
#To come...
#Analyze specific registry keys that aide in an investigation
#### Configurable Settings #############
homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
#########################################
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"
if [ ! -d $outputDir ]; then
mkdir $outputDir
mkdir $dumpDir
mkdir $tempDir
fi
# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`
echo "Running pslist and saving results to $outputDir/pslist"
python $locVolPy -f $memImage --profile=$volProfile pslist > $outputDir/pslist
echo "Running pstree and saving results to $outputDir/pstree"
python $locVolPy -f $memImage --profile=$volProfile pstree > $outputDir/pstree
echo "Running psscan and saving results to $outputDir/psscan"
python $locVolPy -f $memImage --profile=$volProfile psscan > $outputDir/psscan
echo "Running psxview and saving results to $outputDir/psxview"
python $locVolPy -f $memImage --profile=$volProfile psxview > $outputDir/psxview
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)"
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc"
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)" > $outputDir/possibleDKOM
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc" >> $outputDir/possibleDKOM
while read line
do
pslistColumn=`echo $line | awk '{print $4}'`
psscanColumn=`echo $line | awk '{print $5}'`
thrdprocColumn=`echo $line | awk '{print $6}'`
if [ $pslistColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
if [ $psscanColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
if [ $thrdprocColumn == 'False' ]; then
echo "Found: $line" >> $outputDir/possibleDKOM
fi
done < $outputDir/psxview
echo
echo "Running connections and saving results to $outputDir/connections"
python $locVolPy -f $memImage --profile=$volProfile connections > $outputDir/connections
echo "Running connscan and saving results to $outputDir/connscan"
python $locVolPy -f $memImage --profile=$volProfile connscan > $outputDir/connscan
echo "Running filescan and saving results to $outputDir/filescan"
python $locVolPy -f $memImage --profile=$volProfile filescan > $outputDir/filescan
echo "Running iehistory and saving results to $outputDir/iehistory"
python $locVolPy -f $memImage --profile=$volProfile iehistory > $outputDir/iehistory
echo "Running cmdscan and saving results to $outputDir/cmdscan"
python $locVolPy -f $memImage --profile=$volProfile cmdscan > $outputDir/cmdscan
echo "Running consoles and saving results to $outputDir/consoles"
python $locVolPy -f $memImage --profile=$volProfile consoles > $outputDir/consoles
echo "Running mftparser and saving results to $outputDir/mftpparser"
python $locVolPy -f $memImage --profile=$volProfile mftparser --output=body --output-file=$outputDir/mftparser.csv
mactime -b $outputDir/mftparser.csv -d -z UTC-6 > $outputDir/mftparserMactime.csv
echo "Running hivelist and saving results to $outputDir/hivelist"
python $locVolPy -f $memImage --profile=$volProfile hivelist > $outputDir/hivelist
echo "Saving the results of the hashdump to $outputDir/hashdump"
# Find the virtual address of the SYSTEM hive
while read line
do
if [[ $line == *YSTEM* ]]; then
systemVAddr=`echo $line | awk '{print $1}'`
fi
done < $outputDir/hivelist
# Find the virtual address of the SAM hive
while read line
do
if [[ $line == *SAM* ]]; then
samVAddr=`echo $line | awk '{print $1}'`
fi
done < $outputDir/hivelist
python $locVolPy -f $memImage --profile=$volProfile -y $systemVAddr -s $samVAddr hashdump > $outputDir/hashdump
# Output the accounts with blank passwords...
echo "Running malfind and saving results to $outputDir/malfind"
python $locVolPy -f $memImage --profile=$volProfile malfind --dump-dir $dumpDir > $outputDir/malfind
echo
Subscribe to:
Posts (Atom)
Test Authentication from Linux Console using python3 pexpect
Working with the IT420 lab, you will discover that we need to discover a vulnerable user account. The following python3 script uses the pex...
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist...
-
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th...
-
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...