diff --git a/README.md b/README.md index bc87867..5297ebb 100644 --- a/README.md +++ b/README.md @@ -54,79 +54,79 @@ Download the latest version of **MemProcFS-Analyzer** from the [Releases](https: ## Usage Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1. -![First-Run](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/01.png) +![First-Run](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/01.png) **Fig 1:** MemProcFS-Analyzer.ps1 (First Run) → Updater.ps1 -![Updater](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/01.png) +![Updater](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/02.png) **Fig 2:** Updater.ps1 automatically installs/updates all dependencies (First Run) -![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/01.png) +![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/03.png) **Fig 3:** Select your Memory Snapshot and select your pagefile.sys (Optional) -![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/03.png) +![Microsoft-Internet-Symbol-Store](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/04.png) **Fig 4:** Accept Terms of Use (First Run) -![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/04.png) +![MemProcFS](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/05.png) **Fig 5:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk -![MountPoint](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/05.png) +![MountPoint](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/06.png) **Fig 6:** You can investigate the mounted memory dump by exploring drive letter -![FindEvil](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/07.png) +![FindEvil](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/07.png) **Fig 7:** FindEvil feature and additional analytics -![Processes](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/08.png) +![Processes](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/08.png) **Fig 8:** Processes -![RunningAndExited](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/09.png) +![RunningAndExited](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/09.png) **Fig 9:** Running and Exited Processes -![ProcessTree](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/10.png) +![ProcessTree](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/10.png) **Fig 10:** Process Tree (GUI) -![ProcessTreeSearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/11.png) +![ProcessTreeSearch](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/11.png) **Fig 11:** Checking Process Tree (to find anomalies) -![ProcessTreeAlerts](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/12.png) +![ProcessTreeAlerts](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/12.png) **Fig 12:** Process Tree: Alert Messages w/ Process Call Chain -![PropertiesView](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/13.png) +![PropertiesView](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/13.png) **Fig 13:** Process Tree: Properties View → Double-Click on a process or alert message -![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/14.png) +![IPinfo](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/14.png) **Fig 14:** GeoIP w/ IPinfo.io -![MapReport](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/15.png) +![MapReport](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/15.png) **Fig 15:** Map IPs w/ IPinfo.io -![EVTX](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/16.png) +![EVTX](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/16.png) **Fig 16:** Processing Windows Event Logs (EVTX) -![Zircolite](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/17.png) +![Zircolite](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/17.png) **Fig 17:** Zircolite - A standalone SIGMA-based detection tool for EVTX (Mini-GUI) -![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/18.png) +![Amcache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/18.png) **Fig 18:** Processing extracted Amcache.hve → XLSX -![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/19.png) +![ShimCache](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/19.png) **Fig 19:** Processing ShimCache → XLSX -![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/20.png) +![Timeline-Explorer](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/20.png) **Fig 20:** Analyze CSV output w/ Timeline Explorer (TLE) -![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/21.png) +![ELK-Import](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/21.png) **Fig 21:** ELK Import -![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/22.png) +![ELK-Timeline](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/22.png) **Fig 22:** Happy ELK Hunting! -![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0780ec4a5fc62219e12791456f5f1e38d5b10b1a/Screenshots/23.png) +![Secure-Archive-Container](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/23.png) **Fig 23:** Multi-Threaded ClamAV Scan to help you finding evil! ;-) -![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/24.png) +![Message-Box](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/24.png) **Fig 24:** Press **OK** to shutdown MemProcFS and Elastisearch/Kibana -![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/0bb85b553644a29675e4116133e7346b080d07a2/Screenshots/25.png) +![Output](https://github.com/evild3ad/MemProcFS-Analyzer/blob/f68d625bafec260f85d781c90446a9196c5accde/Screenshots/25.png) **Fig 25:** Secure Archive Container (PW: MemProcFS) ## Introduction MemProcFS and Memory Forensics