Memory Forensics Attack Simulation Dataset
Introduction
This post presents a curated memory forensics dataset designed to support research, detection engineering, and hands-on training in the fields of malware analysis, incident response, and threat simulation. The dataset contains memory dumps collected from controlled attack scenarios on Windows 10 systems, covering various techniques such as:
- Process injection
- Credential dumping
- Remote access trojans (RATs)
- Fileless malware
- Cobalt Strike beacons
Each scenario includes a detailed description, artefacts (e.g., .mem
files), and relevant attack characteristics such as evasion techniques, persistence indicators, and suspected C2 activity.
The cases range in complexity from unknown infections to targeted Cobalt Strike intrusions, offering varied examples useful for building or testing memory analysis workflows using tools like Volatility3, YARA, and Malcat.
Whether you’re a student, analyst, or researcher, this resource is intended to provide practical value for learning and advancing your memory forensics capabilities.
Attack ID | Name | Technique(s) | Malware | Persistence | Network Activity | Evasion | Download Link |
---|---|---|---|---|---|---|---|
attack1 | Unknown_Win10_hard | Suspicious execution | Unknown | Not confirmed | Possible beaconing | Masquerading, native tool abuse | Download |
attack2 | process_Injection_hard | Process injection | NimPlantv2 | ScheduleTask | Outbound C2 suspected | Code in legitmate process | Download |
attack3 | cobaltstrike_beacon_Hard | Beacon stage | Cobalt Strike | Not confirmed | C2 activity | Named pipes, obfuscation | Download |
attack4 | AsyncRAT_infection | Standalone RAT | AsyncRAT | Unknown | Encrypted HTTP/HTTPS beaconing | Blends with normal processes | Download |
attack5 | MasonRAT_intermediate | Standalone RAT | MasonRAT | Unknown | Outbound C2 | No injection | Download |
attack6 | cobaltstrike_process_inj_Hard | Process injection | Cobalt Strike | Unknown | C2 suspected | Process injection | Download |
Stay tuned for updating…