This script is a memory forensic wrapper to https://github.com/ufrisk/MemProcFS for memory speed analysis. It's includes several hunting modules and ELK import with pre built hunting dashboards. It's have cool features like metadata and imports detection. Eventlog parsning. Yara and ClamAV to detect malicious files and memory injection detection. Happy Hunting ;)
The screenshots are generated using the memory dump from the Disobey 2020 Memory Forensics Workshop.
If you run the eventlog parser module, the file is sometime locked by powershell for ca 60sec before release. Just wait...
- Thanks to https://cqureacademy.com/ for there awesome tool CQEVTXRecovery.exe for fixing corrupted evtx files.
If you want to import the hunting dashboards to ELK you need to download and start the services on the local machine:
Unzip and start the services:
- C:\elasticsearch-7.12.0-windows-x86_64\elasticsearch-7.12.0\bin\elasticsearch.bat
- C:\kibana-7.12.0-windows-x86_64\bin\kibana.bat
Run the MemProcFS_ELKImport to import the hunting dashboards
Easy as one, two ,three ;)
Download the lates release of MemProcFS
Download the lates release of Dokan and run the installer
Mount the image with MemProcFS
Download the lates release of MemProcFSHunter and start the script
It's all done!! Have Fun!!