MemProcFS-Analyzer v0.9

README.md

@@ -6,12 +6,13 @@ https://github.com/ufrisk/MemProcFS
 
 Features:
 * Fast and easy memory analysis!
-* You can mount a Raw Physical Memory Dump like a disk image and handle the memory compression feature on Windows
+* You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
 * Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite  
 * Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite   
 * Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available  
 * Pagefile Support
 * OS Fingerprinting  
+* Scan w/ Custom YARA rules (incl. 284 rules by e.g. [Chronicle](https://github.com/chronicle/GCTI/tree/main/YARA) and [Elastic Security](https://github.com/elastic/protections-artifacts))  
 * Multi-Threaded scan w/ ClamAV for Windows  
 * Collection of infected files detected by ClamAV for further analysis (PW: infected)
 * Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
@@ -50,7 +51,7 @@ Download the latest version of **MemProcFS-Analyzer** from the [Releases](https:
 Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1. 
 
 ![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/01.png)  
-**Fig 1:** Select your Raw Physical Memory Dump and select your pagefile.sys (Optional)
+**Fig 1:** Select your Memory Snapshot and select your pagefile.sys (Optional)
 
 ![Auto-Install](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/02.png)  
 **Fig 2:** MemProcFS-Analyzer auto-installs dependencies (First Run)
@@ -62,7 +63,7 @@ Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PS
 **Fig 4:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk  
 
 ![Mounted](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/05.png)  
-**Fig 5:** You can investigate the mounted memory dump by exploring drive letter X:
+**Fig 5:** You can investigate the mounted memory dump by exploring drive letter
 
 ![Auto-Update](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/06.png)  
 **Fig 6:** MemProcFS-Analyzer checks for updates (Second Run) 
@@ -181,19 +182,19 @@ https://ericzimmerman.github.io/
 AppCompatCacheParser v1.5.0.0 (.NET 6)  
 https://ericzimmerman.github.io/  
 
-ClamAV - Download → Windows → clamav-1.0.0.win.x64.msi (2022-11-23)  
+ClamAV - Download → Windows → clamav-1.0.1.win.x64.msi (2023-02-14)  
 https://www.clamav.net/downloads    
 
 Dokany Library Bundle v2.0.6.1000 (2022-10-02)  
 https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe  
 
-Elasticsearch 8.6.0 (2023-01-10)  
+Elasticsearch 8.7.1 (2023-05-02)  
 https://www.elastic.co/downloads/elasticsearch  
 
 entropy v1.0 (2022-02-04)  
 https://github.com/merces/entropy  
 
-EvtxECmd v1.0.0.1 (.NET 6)  
+EvtxECmd v1.5.0.0 (.NET 6)  
 https://ericzimmerman.github.io/  
 
 ImportExcel v7.8.4 (2022-12-11)  
@@ -211,7 +212,7 @@ https://www.elastic.co/downloads/kibana
 lnk_parser v0.2.0 (2022-08-10)  
 https://github.com/AbdulRhmanAlfaifi/lnk_parser  
 
-MemProcFS v5.3.0 - The Memory Process File System (2023-01-19)  
+MemProcFS v5.6.4 - The Memory Process File System (2023-05-01)  
 https://github.com/ufrisk/MemProcFS  
 
 RECmd v2.0.0.0 (.NET 6)  
@@ -223,10 +224,10 @@ https://ericzimmerman.github.io/
 xsv v0.13.0 (2018-05-12)  
 https://github.com/BurntSushi/xsv  
 
-YARA v4.2.3 (2022-08-09)  
+YARA v4.3.1 (2023-04-21)  
 https://virustotal.github.io/yara/  
 
-Zircolite v2.9.7 (2022-10-08)  
+Zircolite v2.9.9 (2023-04-16)  
 https://github.com/wagga40/Zircolite  
 
 ## Links

Scripts/1768/1768.json

@@ -1,72 +1,89 @@
 {
     "dLookupValues": {
-                         "LASTUPDATE": "2022/08/27",
+                         "LASTUPDATE": "2023/04/02",
                          "URL": "https://www.cobaltstrike.com/help-authorization-files",
                          "37": {
-																	"0": "trial or pirated? - Stats uniques -> ips/hostnames: 676 publickeys: 410",
-																	"1": "Finspy - Stats uniques -> ips/hostnames: 26 publickeys: 19",
-																	"100000": "Stats uniques -> ips/hostnames: 11 publickeys: 11",
-																	"1011266395": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1061821957": "Stats uniques -> ips/hostnames: 4 publickeys: 1",
-																	"1083092832": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
-																	"1200302529": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1225345476": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1234567890": "Stats uniques -> ips/hostnames: 178 publickeys: 152",
-																	"1293900656": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1330515036": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
-																	"1359593325": "TrickBot/SmokeLoader/Nobelium/APT29 - Stats uniques -> ips/hostnames: 228 publickeys: 160",
-																	"1360912112": "Stats uniques -> ips/hostnames: 3 publickeys: 3",
-																	"1453642741": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1485646134": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"153163702": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1548680553": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1580103814": "APT27/Qbot/IcedID/DarkSide/Conti/Hancitor/WizardSpider - Stats uniques -> ips/hostnames: 80 publickeys: 34",
-																	"1580103824": "Stats uniques -> ips/hostnames: 210 publickeys: 92",
-																	"1616449647": "Stats uniques -> ips/hostnames: 3 publickeys: 2",
-																	"1628610335": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
-																	"16777216": "Ryuk - Stats uniques -> ips/hostnames: 19 publickeys: 19",
-																	"1711276032": "Stats uniques -> ips/hostnames: 18 publickeys: 15",
-																	"1807886020": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"1857223080": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1873433027": "TA511/Hancitor - Stats uniques -> ips/hostnames: 35 publickeys: 28",
-																	"1880445158": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1895490765": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"1914732777": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"2002705334": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"206546002": "Stats uniques -> ips/hostnames: 45 publickeys: 23",
-																	"2091175951": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
-																	"289336829": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"294598720": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"305419776": "Stats uniques -> ips/hostnames: 49 publickeys: 19",
-																	"305419896": "Ryuk/TrickBot/Maze/EvilCorp/Pyxie/APT41 - Stats uniques -> ips/hostnames: 269 publickeys: 172",
-																	"388888888": "Stats uniques -> ips/hostnames: 5 publickeys: 5",
-																	"401466503": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"426352781": "Stats uniques -> ips/hostnames: 267 publickeys: 207",
-																	"472168751": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"475294171": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"508419252": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"540231004": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"555758901": "Stats uniques -> ips/hostnames: 3 publickeys: 2",
-																	"571338205": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"582298219": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"6": "Stats uniques -> ips/hostnames: 13 publickeys: 12",
-																	"666": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
-																	"666104495": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"666666": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
-																	"680943040": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"697620223": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"707557615": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"775423106": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"77771151": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"804449981": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
-																	"863200806": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"8848": "Stats uniques -> ips/hostnames: 8 publickeys: 8",
-																	"9527": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
-																	"96906161": "Stats uniques -> ips/hostnames: 4 publickeys: 1",
-																	"452436291": "REvil/Sodin/Sodinokibi - No stats",
-																	"3": "Cobalt Group - No stats",
-																	"849087011": "SolarStorm - No stats",
-																	"892810033": "Teardrop/SolarStorm - No stats"
+                                  "0": "trial or pirated? - Stats uniques -> ips/hostnames: 740 publickeys: 448",
+                                  "1": "Finspy - Stats uniques -> ips/hostnames: 29 publickeys: 21",
+                                  "100000": "Stats uniques -> ips/hostnames: 49 publickeys: 41",
+                                  "1011266395": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1049482653": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "1061821957": "Stats uniques -> ips/hostnames: 4 publickeys: 1",
+                                  "1083092832": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "1116519211": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1200302529": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1225345476": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "12345": "Stats uniques -> ips/hostnames: 7 publickeys: 7",
+                                  "1234567890": "Stats uniques -> ips/hostnames: 253 publickeys: 197",
+                                  "1293900656": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1330515036": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "1335920331": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1359593325": "TrickBot/SmokeLoader/Nobelium/APT29 - Stats uniques -> ips/hostnames: 238 publickeys: 169",
+                                  "1360912112": "Stats uniques -> ips/hostnames: 3 publickeys: 3",
+                                  "1453642741": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1485646134": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "153163702": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1548680553": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1580103814": "APT27/Qbot/IcedID/DarkSide/Conti/Hancitor/WizardSpider - Stats uniques -> ips/hostnames: 80 publickeys: 34",
+                                  "1580103824": "Stats uniques -> ips/hostnames: 263 publickeys: 114",
+                                  "1616449647": "Stats uniques -> ips/hostnames: 3 publickeys: 2",
+                                  "1628610335": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "1670873463": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "16777216": "Ryuk - Stats uniques -> ips/hostnames: 19 publickeys: 19",
+                                  "1711276032": "Stats uniques -> ips/hostnames: 19 publickeys: 16",
+                                  "172432245": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "1807886020": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "1857223080": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1873433027": "TA511/Hancitor - Stats uniques -> ips/hostnames: 35 publickeys: 28",
+                                  "1880445158": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1895490765": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "1914732777": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "2002705334": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "206546002": "Stats uniques -> ips/hostnames: 80 publickeys: 33",
+                                  "2091175951": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "2130772225": "Stats uniques -> ips/hostnames: 3 publickeys: 3",
+                                  "289336829": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "294598720": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "305419776": "Stats uniques -> ips/hostnames: 62 publickeys: 20",
+                                  "305419896": "Ryuk/TrickBot/Maze/EvilCorp/Pyxie/APT41 - Stats uniques -> ips/hostnames: 284 publickeys: 179",
+                                  "3324337203": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "388888888": "Stats uniques -> ips/hostnames: 5 publickeys: 5",
+                                  "391144938": "Stats uniques -> ips/hostnames: 49 publickeys: 45",
+                                  "401466503": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "426352781": "Stats uniques -> ips/hostnames: 303 publickeys: 232",
+                                  "472168751": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "475294171": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "508419252": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "527324335": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "540231004": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "555758901": "Stats uniques -> ips/hostnames: 3 publickeys: 2",
+                                  "563527380": "Stats uniques -> ips/hostnames: 4 publickeys: 4",
+                                  "571338205": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "574247": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "582298219": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "6": "Stats uniques -> ips/hostnames: 19 publickeys: 18",
+                                  "666": "Stats uniques -> ips/hostnames: 2 publickeys: 2",
+                                  "666104495": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "666666": "Stats uniques -> ips/hostnames: 11 publickeys: 11",
+                                  "668694132": "Stats uniques -> ips/hostnames: 7 publickeys: 7",
+                                  "674054486": "Stats uniques -> ips/hostnames: 25 publickeys: 24",
+                                  "680943040": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "697620223": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "707557615": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "775423106": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "77771151": "Stats uniques -> ips/hostnames: 5 publickeys: 1",
+                                  "804449981": "Stats uniques -> ips/hostnames: 3 publickeys: 1",
+                                  "806236289": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "863200806": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "8848": "Stats uniques -> ips/hostnames: 8 publickeys: 8",
+                                  "921421590": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "9527": "Stats uniques -> ips/hostnames: 2 publickeys: 1",
+                                  "96906161": "Stats uniques -> ips/hostnames: 4 publickeys: 1",
+                                  "987654321": "Stats uniques -> ips/hostnames: 24 publickeys: 21",
+                                  "452436291": "REvil/Sodin/Sodinokibi - No stats",
+                                  "3": "Cobalt Group - No stats",
+                                  "849087011": "SolarStorm - No stats",
+                                  "892810033": "Teardrop/SolarStorm - No stats"
                                },
                          "7": {
                                   "30819f300d06092a864886f70d010101050003818d003081890281810080fa8dc59ec39b73d49523c640c1cdfabbb0f0b15e943f2429c0c360862c938fb474523a0116f2ea71877f24218fc85cd959017cd0f987ec443a731a4d29a7a8fe1312d2edace8a736515d120c8f7b5e0008b7403ee3511435367f223c474ec2c0913c1dede6c1124b5089dc2aec3ef37ce24009a590ef4b8398f52e75c1f2ed020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000": {"normal": "Has known private key", "verbose": "30820275020100300d06092a864886f70d01010105000482025f3082025b0201000281810080fa8dc59ec39b73d49523c640c1cdfabbb0f0b15e943f2429c0c360862c938fb474523a0116f2ea71877f24218fc85cd959017cd0f987ec443a731a4d29a7a8fe1312d2edace8a736515d120c8f7b5e0008b7403ee3511435367f223c474ec2c0913c1dede6c1124b5089dc2aec3ef37ce24009a590ef4b8398f52e75c1f2ed02030100010281800d789de81f1df515930584b8073976c7126577ae3edfa2fca6f3c0344baf4a363f35cb04cdea54b2d1eac207c70d9a72c02cc0b005af9a57be0490d3156e1d59ac7837c74987a296671f4264781050d39ccc16f5f5024699fe6f3aad9b77e874117e213b369ef6c58c43a4423585db42eb022251914f3110b52532620fe82dad024100f6c00bf6a8e14566029cfdfef39a77c50511056f235a0dc71b46c5d5b17b6494c290496a3d76635d5ae21f615bc5e04e2a2a2001957fec6b3ce88c0ca9a36aaf02410085d04e59788f32150b4039fc0140fa06a66181cb463cdec2d573111e8904fd4aadffa63e8f2f2063c7e212bef5981c1ed2ff6f1163a04662d483067658ceb32302403b44035b9a528935a83906f4be9402626b061c95061bb2257992b51fcf8240b54e4a13a815dd229ea09ea144e42311ee14488be9757c054ff8902e5b383f8cf702407fcd78d74926f2bd58968a0adf23b0e8a30623d2028e666f8d2fae1d0cdec010106947dd1e21f37c794eb97abad4019f8b043d8f4d28a9b100a8f78616c1ac2302403e247b8970b1e457b2c82759d3427a24edfa7d309a4a619ebfcab16cb2593a67564fe7c4d68b73958f856831e9fe1d4ba2ec4281234a2a903b4b07a50084b3d5"},