memoptix's Introduction

memOptix

This Jupyter notebook was created to assist DFIR professionals with triaging Windows memory dumps.

Please note that this notebook was created based on the output generated from CrowdStrike's Supermem python script (https://github.com/CrowdStrike/SuperMem). SuperMem triage mode 2 or 3 should be run against the memory dump prior to running this notebook. A separate Volatility processing cell is provided as part of this notebook, if you decide to run Volatility against a memory dump interactively to generate the required output.

Following Open Source projects are used in this notebook

https://github.com/microsoft/msticpy

https://github.com/volatilityfoundation/volatility3

https://github.com/CrowdStrike/SuperMem

Author : J Marasinghe

Pre-requisites

Python 3.8 or above
Volatility3
Following API keys are required to support MSTICPY with its enrichments. GeoIPLite, GreyNoise and OTX

Usage

git clone https://github.com/blueteam0ps/memOptix.git
Update msticpyconfig.yaml and include the API keys described in the pre-requisites
Open the memOptix-analyst.ipynb within Jupyter and follow instructions within the notebook
If you are not planning to run Supermem and want to generate the CSVs required for the notebook please run the following cell. If you already have the CSVs, then update the path as instructed and skip the CSV generation.

Screenshots

Image Credit Memory icons created by Darius Dan - Flaticon

memoptix's People

Contributors

Stargazers

Watchers

memoptix's Issues

NT3, NT3 key error

Throws exception during Positive Threat Intelligence Enrichment on the IPs. If it helps, I did configure msticpyconfig.yaml with API keys for all 3 providers (GeoIPLite, GreyNoise and OTX)

ext_netclose dataframe has few ForeignAddr entries. Greatly appreciate any help!

KeyError                                  Traceback (most recent call last)
~/anaconda3/lib/python3.9/site-packages/pandas/core/indexes/base.py in get_loc(self, key, method, tolerance)
   3628             try:
-> 3629                 return self._engine.get_loc(casted_key)
   3630             except KeyError as err:

~/anaconda3/lib/python3.9/site-packages/pandas/_libs/index.pyx in pandas._libs.index.IndexEngine.get_loc()

~/anaconda3/lib/python3.9/site-packages/pandas/_libs/index.pyx in pandas._libs.index.IndexEngine.get_loc()

pandas/_libs/hashtable_class_helper.pxi in pandas._libs.hashtable.PyObjectHashTable.get_item()

pandas/_libs/hashtable_class_helper.pxi in pandas._libs.hashtable.PyObjectHashTable.get_item()

KeyError: None

The above exception was the direct cause of the following exception:

KeyError                                  Traceback (most recent call last)
/tmp/ipykernel_11641/1533737251.py in <module>
     10     if not ext_netclose.empty:
     11         ext_netclose.drop_duplicates(subset ="ForeignAddr", keep = False, inplace = True)
---> 12         resraw_intel = intel.lookup_iocs(data=ext_netclose, obs_col="ForeignAddr")
     13         res_intel = resraw_intel[resraw_intel["Result"]==True]
     14 

~/anaconda3/lib/python3.9/site-packages/msticpy/context/tilookup.py in lookup_iocs(self, data, ioc_col, ioc_type_col, ioc_query_type, providers, default_providers, prov_scope, **kwargs)
    146 
    147         """
--> 148         return _make_sync(
    149             self._lookup_iocs_async(
    150                 data=data,

~/anaconda3/lib/python3.9/site-packages/msticpy/context/provider_base.py in _make_sync(future)
    476         event_loop = asyncio.new_event_loop()
    477         asyncio.set_event_loop(event_loop)
--> 478     return event_loop.run_until_complete(future)

~/anaconda3/lib/python3.9/site-packages/nest_asyncio.py in run_until_complete(self, future)
     87                 raise RuntimeError(
     88                     'Event loop stopped before Future completed.')
---> 89             return f.result()
     90 
     91     def _run_once(self):

~/anaconda3/lib/python3.9/asyncio/futures.py in result(self)
    199         self.__log_traceback = False
    200         if self._exception is not None:
--> 201             raise self._exception
    202         return self._result
    203 

~/anaconda3/lib/python3.9/asyncio/tasks.py in __step(***failed resolving arguments***)
    256                 result = coro.send(None)
    257             else:
--> 258                 result = coro.throw(exc)
    259         except StopIteration as exc:
    260             if self._must_cancel:

~/anaconda3/lib/python3.9/site-packages/msticpy/context/tilookup.py in _lookup_iocs_async(self, data, ioc_col, ioc_type_col, ioc_query_type, providers, default_providers, prov_scope, **kwargs)
    172     ) -> pd.DataFrame:
    173         """Lookup IoCs async."""
--> 174         return await self._lookup_items_async(
    175             data,
    176             item_col=ioc_col,

~/anaconda3/lib/python3.9/site-packages/msticpy/context/lookup.py in _lookup_items_async(self, data, item_col, item_type_col, query_type, providers, default_providers, prov_scope, **kwargs)
    501         prog_task = event_loop.create_task(self._track_completion(prog_counter))
    502         # collect the return values of the tasks
--> 503         results = await asyncio.gather(*result_futures)
    504         # cancel the progress task if results have completed.
    505         prog_task.cancel()

~/anaconda3/lib/python3.9/asyncio/tasks.py in __wakeup(self, future)
    326     def __wakeup(self, future):
    327         try:
--> 328             future.result()
    329         except BaseException as exc:
    330             # This may also be a cancellation.

~/anaconda3/lib/python3.9/asyncio/tasks.py in __step(***failed resolving arguments***)
    254                 # We use the `send` method directly, because coroutines
    255                 # don't have `__iter__` and `__next__` methods.
--> 256                 result = coro.send(None)
    257             else:
    258                 result = coro.throw(exc)

~/anaconda3/lib/python3.9/site-packages/msticpy/context/provider_base.py in lookup_items_async(self, data, item_col, item_type_col, query_type, **kwargs)
    237         results = []
    238         prog_counter = kwargs.pop("prog_counter", None)
--> 239         for item, item_type in generate_items(data, item_col, item_type_col):
    240             item_type = kwargs.pop("item_type", item_type)
    241             if not item:

~/anaconda3/lib/python3.9/site-packages/msticpy/context/provider_base.py in _(data, item_col, item_type_col)
    454     for _, row in data.iterrows():
    455         if item_type_col is None:
--> 456             yield row[item_col], Provider.resolve_item_type(row[item_col])
    457         else:
    458             yield row[item_col], row[item_type_col]

~/anaconda3/lib/python3.9/site-packages/pandas/core/series.py in __getitem__(self, key)
    956 
    957         elif key_is_scalar:
--> 958             return self._get_value(key)
    959 
    960         if is_hashable(key):

~/anaconda3/lib/python3.9/site-packages/pandas/core/series.py in _get_value(self, label, takeable)
   1067 
   1068         # Similar to Index.get_value, but we do not fall back to positional
-> 1069         loc = self.index.get_loc(label)
   1070         return self.index._get_values_for_loc(self, loc, label)
   1071 

~/anaconda3/lib/python3.9/site-packages/pandas/core/indexes/base.py in get_loc(self, key, method, tolerance)
   3629                 return self._engine.get_loc(casted_key)
   3630             except KeyError as err:
-> 3631                 raise KeyError(key) from err
   3632             except TypeError:
   3633                 # If we have a listlike key, _check_indexing_error will raise

KeyError: None

Recommend Projects

blueteam0ps / memoptix Goto Github PK

memoptix's Introduction

memOptix

Pre-requisites

Usage

Screenshots

memoptix's People

Contributors

Stargazers

Watchers

Forkers

memoptix's Issues

NT3, NT3 key error

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent