Please enable JavaScript.
Coggle requires JavaScript to display documents.
CPIDR Cheat Sheet (Windows (Incident Response
Volatility Framework…
CPIDR Cheat Sheet
Windows
Incident ResponseVolatility Framework Analysis StepsCritical Flow for Incident Response
- Identify rogue processes :red_flag:Follow Step 2, 3 and 4
- Analyze process DLLs and handles :red_flag: Follow Step 8
- Review network artifacts :red_flag: Follow Step 5
- Look for evidence of code injection :red_flag: Follow Step 7
- Check for sings of a rootkit :red_flag: Follow Step 7 and 8
- Check process hash value in virustotal OR hybridanlysis
Step 1 -
- Imageinfo : Gives you profile details
-
Step 2 -
- pslist : Provide list of running and exited processes
-
Step 3 -
- psscan : Provide running and exited processes with hidden processes
-
Step 4 -
- pstree : Provide processes in hierarchical format
-
Step 5 -
- netscan / connscan / connections : Provide process list with incoming and outgoing communication (IP Address)
Note:
netscan (works in windows 7 and upper version of windows)
connscan / connection (works in windows XP and 7)
Example : python vol.py -f <Memory_Dump_Path> --profile=<Profile_Name> netscan / connscan / connections
Step 6 -
- pstotal : Comparison of psscan and pslist results. Also produces output in graphics format
Example : python vol.py -f <Memory_Dump_Path> --profile=<Profile_Name> pstotal --output=dot --output-file=<Destination_Path/pstotal.dot>
Step 7 -
- malprocfind : Automatically identified suspicious systems proceses
-
Step 8 -
- handles : Provides Mutant and DLL's of malicious process
Example : python vol.py -f <Memory_Dump_Path> --profile=<Profile_Name> handles -p <Process_ID> -t Mutant
Incident Response Tool
(This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.)
What to Check
-
Intruder will try to persistence in the system by doing process name look like genuine process name. For Example : svchost.exe (Genuine Process) / scvhost.exe (Malicious Process)
-
- Appropriate PATH for system executable processes
-
- Running from a user or temp / tmp directory
-