Last month I introduced a simple Python script that simply ships the JSON output file that Volatility creates to Graylog, called vol2log. Since then, I've been working on different ways to enhance that data, so we can automate some of our Threat Hunting and easily scale it. A lot of what I'm doing exists already in single plugins, like malprocfind, which is awesome for doing analysis on a single machine, but there are a lot of plugins that do not support JSON output which prevents us from simply shipping those outputs to any SIEM easily. It would probably be just as easy for me to go add that functionality to those specific plugins but I have intentions on expanding a lot of the Graylog pipelines I've created, to include the output from a Threat-Hunting PowerShell framework I'm also working on as well.

Having said that, I'm going to contradict myself a bit as nested queries aren't really a thing yet in Elasticsearch and it was a bit easier to do some of this analysis in the vol2log script itself, eventually the idea is to migrate these analysis techniques into Graylog pipelines, and just update this project as I develop new analysis for different plugins as well as some of the PowerShell scripts I have written.

PSList enhancements: To begin with, the vol2log script has been updated to include additional analysis for the output of pslist. This additional analysis consists of enumerating through the entire output and identifying the PID's of key processes. With this information we are able to identify the following:

Ensure the process has the correct parent process of common critical Windows processes. This list should grow as I continue to develop it.

Ensure the number of processes is correct, and that there are not too many of certain processes running.

If any of the above checks fail, a field will be created called "PotentiallyMaliciousProcess" which will be set to True. By generating a quick chart pivoting on any "PotentiallyMaliciousProcess" field that is set to true, we can identify typical techniques that are used and analyze them as we ship our logs from a variety of sources. Here is an example from a single host showing 3 different lsass.exe processes, so the script identified this as being abnormal as there is only supposed to be a single lsass instance.