extracting-memory-artifacts-with-rekall
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/extracting-memory-artifacts-with-rekallAnalyze memory dumps using Rekall to detect process hollowing, hidden processes, and rootkits.
- Detect signs of compromise like injected code and suspicious activity during incident response.
- Integrates with the Rekall memory forensics framework and its specialized plugins.
- Executes established forensic plugins (e.g., pslist, malfind) against provided memory images.
- Outputs extracted forensic artifacts detailing system anomalies and potential threats.
SKILL.md
.github/skills/extracting-memory-artifacts-with-rekallView on GitHub ↗
---
name: extracting-memory-artifacts-with-rekall
description: >
Uses Rekall memory forensics framework to analyze memory dumps for process hollowing,
injected code via VAD anomalies, hidden processes, and rootkit detection. Applies
plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic
artifacts from Windows memory images. Use during incident response memory analysis.
domain: cybersecurity
subdomain: security-operations
tags: [extracting, memory, artifacts, with]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Extracting Memory Artifacts with Rekall
## When to Use
- When performing authorized security testing that involves extracting memory artifacts with rekall
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Use Rekall to analyze memory dumps for signs of compromise including process
injection, hidden processes, and suspicious network connections.
```python
from rekall import session
from rekall import plugins
# Create a Rekall session with a memory image
s = session.Session(
filename="/path/to/memory.raw",
autodetect=["rsds"],
profile_path=["https://github.com/google/rekall-profiles/raw/master"]
)
# List processes
for proc in s.plugins.pslist():
print(proc)
# Detect injected code
for result in s.plugins.malfind():
print(result)
```
Key analysis steps:
1. Load memory image and auto-detect profile
2. Run pslist and psscan to find hidden processes
3. Use malfind to detect injected/hollowed code in process VADs
4. Examine network connections with netscan
5. Extract suspicious DLLs and drivers with dlllist/modules
## Examples
```python
from rekall import session
s = session.Session(filename="memory.raw")
# Compare pslist vs psscan for hidden processes
pslist_pids = set(p.pid for p in s.plugins.pslist())
psscan_pids = set(p.pid for p in s.plugins.psscan())
hidden = psscan_pids - pslist_pids
print(f"Hidden PIDs: {hidden}")
```