Wisdom of the crowds: Detecting anomalous behavior based on mass memory analysis

Anomaly detection is a huge deal these days, there are some tools in the market that seem to perform the task, but they are pricey, complicated and too much for a non-enterprise organization.  I have written  a little script that takes a memory dump, Gives it a unique UUID and inserts to a MySQL database the output of the following volatility commands: psscan,sockets,connections and svcscan. That output can be queried in pretty interesting ways, and as you get more memory dumps, the statistics get more interesting, and it will be easier to find out anomalies.

For example, Here is a query that gets me the statistics about open sockets.


We can see that out of all the computers, we have 5 sockets open to the IP, which in this case was just a private IP address.

Another nice query, links sockets and process names, grouped together.


Here is a list of processes in the 12 computers, from the most common to the uncommon. pslist


After I have found that suspect process named aelas.exe, I went on and looked if it has any open sockets…


This one is pretty interesting, and is a list of services binary paths. You can easily see a few suspect services here 🙂



A list of common sockets, and uncommon ones:


I`m still working on this project, and trying to implement more complex commands, like apihooks,malfind and the like. Another feature I am working on right now, is that as part of the processing the script will dump all the processes and compare them with  additional process dumps from the database in order to white list the similar, and highlight the anomalies. The comparison algorithm will be based on different tools, like pehash,ssdeep, import hashing etc.

I made this test on 12 Memory dumps of different Windows XP Service Pack 2 machines, some infected with malware and some clean. As I collect more memory dumps, I keep adding them to the database and Improving the results. I will update as I progress with the development. When the project will be ripe I will be happy to open a git repository to share it.