creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/conducting-memory-forensics-with-volatility/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

62 lines
2.3 KiB
Markdown
Raw Blame History

# API Reference: Memory Forensics Agent (Volatility 3)
## Overview
Automates memory forensics analysis using Volatility 3: process listing, network connections, process injection detection, command line extraction, and hidden driver/rootkit detection.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| volatility3 | >=2.0 | Memory forensics framework (subprocess) |
## CLI Usage
```bash
python agent.py --memory-file memory.raw --output forensics_report.json
```
## Key Functions
### `run_volatility(memory_file, plugin, extra_args)`
Executes a Volatility 3 plugin via subprocess and parses tab-delimited output into dictionaries.
### `analyze_processes(memory_file)`
Runs `windows.pslist` and flags processes matching known offensive tools (mimikatz, cobalt, meterpreter, psexec).
### `analyze_network_connections(memory_file)`
Runs `windows.netscan` to extract network connections and filters for ESTABLISHED state.
### `detect_process_injection(memory_file)`
Runs `windows.malfind` to detect injected code in process memory (RWX pages with executable content).
### `analyze_dlls(memory_file, pid)`
Lists loaded DLLs for a specific process or all processes via `windows.dlllist`.
### `extract_command_history(memory_file)`
Runs `windows.cmdline` and flags suspicious patterns (encoded PowerShell, credential dumping, LOLBins).
### `check_kernel_modules(memory_file)`
Compares `windows.modules` with `windows.driverscan` to detect hidden/rootkit drivers.
## Volatility 3 Plugins Used
| Plugin | Purpose |
|--------|---------|
| `windows.pslist` | List running processes |
| `windows.netscan` | Extract network connections |
| `windows.malfind` | Detect process injection |
| `windows.dlllist` | List loaded DLLs |
| `windows.cmdline` | Extract command line arguments |
| `windows.registry.hivelist` | List registry hives |
| `windows.modules` | List kernel modules |
| `windows.driverscan` | Scan for driver objects |
## Suspicious Process Indicators
Processes flagged: mimikatz, procdump, psexec, cobalt, beacon, meterpreter, nc.exe, ncat, certutil, bitsadmin, mshta, regsvr32, wscript, cscript.
## Suspicious Command Patterns
Commands flagged: `powershell -enc`, `invoke-expression`, `downloadstring`, `net user`, `sekurlsa`, `lsadump`, `reg save`, `vssadmin`, `certutil -urlcache`, `bitsadmin /transfer`.
Reference in New Issue View Git Blame Copy Permalink