Live Memory Analysis

Memory Analysis in Incident Response with Process Hacker

Memory analysis plays a crucial role in identifying malicious activities within a system. Attackers often use running processes to maintain persistence, exfiltrate data, or execute malicious commands. Tools like Process Hacker provide detailed insights into active processes, network connections, and signature statuses, helping responders uncover potential threats.

Key Areas of Memory Analysis

1. Process Tree Analysis

Objective: Identify suspicious child processes spawned by legitimate parent processes.

Indicators of Malicious Activity:

  • WebShell Detection: A process like powershell.exe or cmd.exe spawned under a web server process (e.g., w3wp.exe or apache.exe) could indicate a webshell executing commands like whoami or net user.

  • Malicious Macro Detection: If powershell.exe is a child of winword.exe (Microsoft Word), this might signal a malicious macro executing embedded scripts. Look for Base64-encoded commands.

Steps:

  1. Open Process Hacker and go to the Processes tab.

  2. Expand processes to view their hierarchy.

  3. Investigate suspicious child processes:

    • Double-click a process to inspect its properties, including command line arguments and environment variables.

  4. Cross-check the process name and command line with known IOCs (Indicators of Compromise).

2. Network Connections Analysis

Objective: Identify unauthorized or suspicious external communications.

Key Indicators:

  • Processes with active connections to unknown or suspicious IP addresses.

  • Use of non-standard ports for communication (e.g., unusual high ports).

  • Large data transfers indicating potential exfiltration.

Steps:

  1. Navigate to the Network tab in Process Hacker.

  2. Review active connections and focus on:

    • Process Name: Which process is making the connection.

    • Remote IP Address: Destination of the connection.

    • Port Number: Port being used for communication.

  3. Investigate external IPs:

    • Use tools like VirusTotal, AbuseIPDB, or Shodan to check the reputation of the remote IP.

  4. Terminate suspicious connections if necessary:

    • Right-click on the process and select Terminate.

3. Signature Status Analysis

Objective: Verify the authenticity of running processes by checking their digital signatures.

Why It Matters:

  • Legitimate files should be signed by a trusted authority.

  • Malicious actors sometimes use unsigned or poorly signed binaries to execute attacks.

Steps:

  1. In the Processes tab, right-click the column headers and select Choose Columns.

  2. Add Verification Status and Verified Signer columns.

  3. Review processes:

    • Focus on those marked as Not Verified or Unknown.

    • Investigate further if a critical system process like svchost.exe or lsass.exe shows as unsigned.

Example Case Study: Suspicious Python Process Under CMD

Scenario: You notice python.exe running as a child of cmd.exe. This could be a legitimate task or a sign of malicious activity.

Action Plan:

  1. Inspect Process Details:

    • Double-click python.exe in Process Hacker.

    • Check the Command Line for parameters or scripts being executed.

  2. Verify Current Directory:

    • Ensure the script (e.g., manage.py) is running from an expected directory.

    • Unexpected locations like /tmp, /dev/shm, or user directories can indicate malicious intent.

  3. Analyze the Script:

    • Review the contents of the script for potentially harmful code.

Key Points

Memory analysis with tools like Process Hacker enables responders to:

  • Detect active malware through suspicious processes.

  • Identify unauthorized external communications.

  • Investigate persistence mechanisms, such as unsigned processes or malicious network connections.

This structured approach to memory analysis provides critical insights during incident response, allowing responders to act swiftly and effectively.

PreviousFree Tools That Can Be UsedNextTask Scheduler

Last updated