npm - @sylix/coworker - Versions diffs - 2.0.11 → 2.0.14 - Mend

@sylix/coworker 2.0.11 → 2.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/dist/skills/defaults/security/memory-forensics/SKILL.md ADDED Viewed

@@ -0,0 +1,483 @@
+---
+name: memory-forensics
+description: Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.
+---
+# Memory Forensics
+Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.
+## Memory Acquisition
+### Live Acquisition Tools
+#### Windows
+```powershell
+# WinPmem (Recommended)
+winpmem_mini_x64.exe memory.raw
+# DumpIt
+DumpIt.exe
+# Belkasoft RAM Capturer
+# GUI-based, outputs raw format
+# Magnet RAM Capture
+# GUI-based, outputs raw format
+```
+#### Linux
+```bash
+# LiME (Linux Memory Extractor)
+sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
+# /dev/mem (limited, requires permissions)
+sudo dd if=/dev/mem of=memory.raw bs=1M
+# /proc/kcore (ELF format)
+sudo cp /proc/kcore memory.elf
+```
+#### macOS
+```bash
+# osxpmem
+sudo ./osxpmem -o memory.raw
+# MacQuisition (commercial)
+```
+### Virtual Machine Memory
+```bash
+# VMware: .vmem file is raw memory
+cp vm.vmem memory.raw
+# VirtualBox: Use debug console
+vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf
+# QEMU
+virsh dump <domain> memory.raw --memory-only
+# Hyper-V
+# Checkpoint contains memory state
+```
+## Volatility 3 Framework
+### Installation and Setup
+```bash
+# Install Volatility 3
+pip install volatility3
+# Install symbol tables (Windows)
+# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/
+# Basic usage
+vol -f memory.raw <plugin>
+# With symbol path
+vol -f memory.raw -s /path/to/symbols windows.pslist
+```
+### Essential Plugins
+#### Process Analysis
+```bash
+# List processes
+vol -f memory.raw windows.pslist
+# Process tree (parent-child relationships)
+vol -f memory.raw windows.pstree
+# Hidden process detection
+vol -f memory.raw windows.psscan
+# Process memory dumps
+vol -f memory.raw windows.memmap --pid <PID> --dump
+# Process environment variables
+vol -f memory.raw windows.envars --pid <PID>
+# Command line arguments
+vol -f memory.raw windows.cmdline
+```
+#### Network Analysis
+```bash
+# Network connections
+vol -f memory.raw windows.netscan
+# Network connection state
+vol -f memory.raw windows.netstat
+```
+#### DLL and Module Analysis
+```bash
+# Loaded DLLs per process
+vol -f memory.raw windows.dlllist --pid <PID>
+# Find hidden/injected DLLs
+vol -f memory.raw windows.ldrmodules
+# Kernel modules
+vol -f memory.raw windows.modules
+# Module dumps
+vol -f memory.raw windows.moddump --pid <PID>
+```
+#### Memory Injection Detection
+```bash
+# Detect code injection
+vol -f memory.raw windows.malfind
+# VAD (Virtual Address Descriptor) analysis
+vol -f memory.raw windows.vadinfo --pid <PID>
+# Dump suspicious memory regions
+vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
+```
+#### Registry Analysis
+```bash
+# List registry hives
+vol -f memory.raw windows.registry.hivelist
+# Print registry key
+vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
+# Dump registry hive
+vol -f memory.raw windows.registry.hivescan --dump
+```
+#### File System Artifacts
+```bash
+# Scan for file objects
+vol -f memory.raw windows.filescan
+# Dump files from memory
+vol -f memory.raw windows.dumpfiles --pid <PID>
+# MFT analysis
+vol -f memory.raw windows.mftscan
+```
+### Linux Analysis
+```bash
+# Process listing
+vol -f memory.raw linux.pslist
+# Process tree
+vol -f memory.raw linux.pstree
+# Bash history
+vol -f memory.raw linux.bash
+# Network connections
+vol -f memory.raw linux.sockstat
+# Loaded kernel modules
+vol -f memory.raw linux.lsmod
+# Mount points
+vol -f memory.raw linux.mount
+# Environment variables
+vol -f memory.raw linux.envars
+```
+### macOS Analysis
+```bash
+# Process listing
+vol -f memory.raw mac.pslist
+# Process tree
+vol -f memory.raw mac.pstree
+# Network connections
+vol -f memory.raw mac.netstat
+# Kernel extensions
+vol -f memory.raw mac.lsmod
+```
+## Analysis Workflows
+### Malware Analysis Workflow
+```bash
+# 1. Initial process survey
+vol -f memory.raw windows.pstree > processes.txt
+vol -f memory.raw windows.pslist > pslist.txt
+# 2. Network connections
+vol -f memory.raw windows.netscan > network.txt
+# 3. Detect injection
+vol -f memory.raw windows.malfind > malfind.txt
+# 4. Analyze suspicious processes
+vol -f memory.raw windows.dlllist --pid <PID>
+vol -f memory.raw windows.handles --pid <PID>
+# 5. Dump suspicious executables
+vol -f memory.raw windows.pslist --pid <PID> --dump
+# 6. Extract strings from dumps
+strings -a pid.<PID>.exe > strings.txt
+# 7. YARA scanning
+vol -f memory.raw windows.yarascan --yara-rules malware.yar
+```
+### Incident Response Workflow
+```bash
+# 1. Timeline of events
+vol -f memory.raw windows.timeliner > timeline.csv
+# 2. User activity
+vol -f memory.raw windows.cmdline
+vol -f memory.raw windows.consoles
+# 3. Persistence mechanisms
+vol -f memory.raw windows.registry.printkey \
+    --key "Software\Microsoft\Windows\CurrentVersion\Run"
+# 4. Services
+vol -f memory.raw windows.svcscan
+# 5. Scheduled tasks
+vol -f memory.raw windows.scheduled_tasks
+# 6. Recent files
+vol -f memory.raw windows.filescan | grep -i "recent"
+```
+## Data Structures
+### Windows Process Structures
+```c
+// EPROCESS (Executive Process)
+typedef struct _EPROCESS {
+    KPROCESS Pcb;                    // Kernel process block
+    EX_PUSH_LOCK ProcessLock;
+    LARGE_INTEGER CreateTime;
+    LARGE_INTEGER ExitTime;
+    // ...
+    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
+    ULONG_PTR UniqueProcessId;       // PID
+    // ...
+    PEB* Peb;                        // Process Environment Block
+    // ...
+} EPROCESS;
+// PEB (Process Environment Block)
+typedef struct _PEB {
+    BOOLEAN InheritedAddressSpace;
+    BOOLEAN ReadImageFileExecOptions;
+    BOOLEAN BeingDebugged;           // Anti-debug check
+    // ...
+    PVOID ImageBaseAddress;          // Base address of executable
+    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
+    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+    // ...
+} PEB;
+```
+### VAD (Virtual Address Descriptor)
+```c
+typedef struct _MMVAD {
+    MMVAD_SHORT Core;
+    union {
+        ULONG LongFlags;
+        MMVAD_FLAGS VadFlags;
+    } u;
+    // ...
+    PVOID FirstPrototypePte;
+    PVOID LastContiguousPte;
+    // ...
+    PFILE_OBJECT FileObject;
+} MMVAD;
+// Memory protection flags
+#define PAGE_EXECUTE           0x10
+#define PAGE_EXECUTE_READ      0x20
+#define PAGE_EXECUTE_READWRITE 0x40
+#define PAGE_EXECUTE_WRITECOPY 0x80
+```
+## Detection Patterns
+### Process Injection Indicators
+```python
+# Malfind indicators
+# - PAGE_EXECUTE_READWRITE protection (suspicious)
+# - MZ header in non-image VAD region
+# - Shellcode patterns at allocation start
+# Common injection techniques
+# 1. Classic DLL Injection
+#    - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
+# 2. Process Hollowing
+#    - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory
+# 3. APC Injection
+#    - QueueUserAPC targeting alertable threads
+# 4. Thread Execution Hijacking
+#    - SuspendThread + SetThreadContext + ResumeThread
+```
+### Rootkit Detection
+```bash
+# Compare process lists
+vol -f memory.raw windows.pslist > pslist.txt
+vol -f memory.raw windows.psscan > psscan.txt
+diff pslist.txt psscan.txt  # Hidden processes
+# Check for DKOM (Direct Kernel Object Manipulation)
+vol -f memory.raw windows.callbacks
+# Detect hooked functions
+vol -f memory.raw windows.ssdt  # System Service Descriptor Table
+# Driver analysis
+vol -f memory.raw windows.driverscan
+vol -f memory.raw windows.driverirp
+```
+### Credential Extraction
+```bash
+# Dump hashes (requires hivelist first)
+vol -f memory.raw windows.hashdump
+# LSA secrets
+vol -f memory.raw windows.lsadump
+# Cached domain credentials
+vol -f memory.raw windows.cachedump
+# Mimikatz-style extraction
+# Requires specific plugins/tools
+```
+## YARA Integration
+### Writing Memory YARA Rules
+```yara
+rule Suspicious_Injection
+{
+    meta:
+        description = "Detects common injection shellcode"
+    strings:
+        // Common shellcode patterns
+        $mz = { 4D 5A }
+        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
+        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call
+    condition:
+        $mz at 0 or any of ($shellcode*)
+}
+rule Cobalt_Strike_Beacon
+{
+    meta:
+        description = "Detects Cobalt Strike beacon in memory"
+    strings:
+        $config = { 00 01 00 01 00 02 }
+        $sleep = "sleeptime"
+        $beacon = "%s (admin)" wide
+    condition:
+        2 of them
+}
+```
+### Scanning Memory
+```bash
+# Scan all process memory
+vol -f memory.raw windows.yarascan --yara-rules rules.yar
+# Scan specific process
+vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234
+# Scan kernel memory
+vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel
+```
+## String Analysis
+### Extracting Strings
+```bash
+# Basic string extraction
+strings -a memory.raw > all_strings.txt
+# Unicode strings
+strings -el memory.raw >> all_strings.txt
+# Targeted extraction from process dump
+vol -f memory.raw windows.memmap --pid 1234 --dump
+strings -a pid.1234.dmp > process_strings.txt
+# Pattern matching
+grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt
+```
+### FLOSS for Obfuscated Strings
+```bash
+# FLOSS extracts obfuscated strings
+floss malware.exe > floss_output.txt
+# From memory dump
+floss pid.1234.dmp
+```
+## Best Practices
+### Acquisition Best Practices
+1. **Minimize footprint**: Use lightweight acquisition tools
+2. **Document everything**: Record time, tool, and hash of capture
+3. **Verify integrity**: Hash memory dump immediately after capture
+4. **Chain of custody**: Maintain proper forensic handling
+### Analysis Best Practices
+1. **Start broad**: Get overview before deep diving
+2. **Cross-reference**: Use multiple plugins for same data
+3. **Timeline correlation**: Correlate memory findings with disk/network
+4. **Document findings**: Keep detailed notes and screenshots
+5. **Validate results**: Verify findings through multiple methods
+### Common Pitfalls
+- **Stale data**: Memory is volatile, analyze promptly
+- **Incomplete dumps**: Verify dump size matches expected RAM
+- **Symbol issues**: Ensure correct symbol files for OS version
+- **Smear**: Memory may change during acquisition
+- **Encryption**: Some data may be encrypted in memory