๐ŸŽฏ Lab Objectives

  • Set up Volatility 3 with Windows symbol tables
  • Enumerate running processes and identify anomalies
  • Extract active and recently closed network connections
  • Detect code injection using the malfind plugin
  • Dump and analyse suspicious processes and DLLs
  • Extract credentials from LSASS memory

Topics Covered

  • Volatility 3 setup and plugin overview
  • Process analysis: pslist vs pstree vs psscan for rootkit detection
  • Network artifact extraction from memory
  • Malfind โ€” detecting injected PE files and shellcode
  • LSASS credential extraction with pypykatz
  • Timeline reconstruction using MFT and prefetch artifacts

Setup

pip3 install volatility3

# Download Windows symbol tables
wget https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
unzip windows.zip -d ~/.local/lib/python3/site-packages/volatility3/symbols/

Process Investigation

# System overview
vol -f infected.raw windows.info
vol -f infected.raw windows.pslist
vol -f infected.raw windows.pstree

# Anomalies to hunt:
# svchost.exe without parent services.exe
# cmd.exe spawned from Word, Excel, or PowerPoint
# processes with random or misspelled names

# Hidden processes (rootkits unlink EPROCESS from the list)
vol -f infected.raw windows.psscan
# PID in psscan but not pslist = actively hidden

Network Connections

# Active and recently closed connections
vol -f infected.raw windows.netscan | grep -v CLOSED
vol -f infected.raw windows.netstat

# Indicators: unusual IPs from system processes, non-standard port usage, high-frequency beaconing

Detect Code Injection

# Malfind finds RWX memory with PE headers
vol -f infected.raw windows.malfind

# Dump suspicious regions for further analysis
vol -f infected.raw windows.malfind --dump --pid SUSPICIOUS_PID
file pid.*.dmp | grep PE   # look for injected PE executables

Credential Extraction

# Dump LSASS process memory
vol -f infected.raw windows.dumpfiles --pid LSASS_PID

# pypykatz (pure Python implementation of mimikatz)
pypykatz lsa minidump lsass.dmp

Timeline Reconstruction

# MFT timeline โ€” filesystem activity
vol -f infected.raw windows.mftscan.MFTScan

# Prefetch โ€” what was executed and when
vol -f infected.raw windows.prefetch

# Registry last-write timestamps
vol -f infected.raw windows.registry.hivelist
โœ…
Lab Complete! Mark it done below and continue your learning path.
โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands
๐Ÿ“–
Sign in to track progress