devskim blog

Search

Memory Analysis (Volatility)

sections

Tags

forensic

Created

Apr 29, 2023 07:37 PM

Last Updated

Jul 30, 2023 09:49 AM

1. 사전 준비 2. 문제 참고

1. 사전 준비

Python 설치

Volatility 설정

https://github.com/volatilityfoundation/volatility3/releases
requirements.txt 설치

메모리 다운로드 (비밀번호 infected)

https://drive.google.com/file/d/12vkQFSqZQkTu89g7NIlZsqW80SCP8O9_/view?usp=sharing

pestudio 다운로드 (3번 문제)

https://www.winitor.com/download2

2. 문제

Q1. What was the date and time when Memory from the compromised endpoint was acquired?

다음의 명령어로 정보 확인

notion image

정답

2022-07-26 18:16:32

Q2. What was the suspicious process running on the system? (Format : name.extension)

다음의 명령어로 프로세스 정보 확인

notion image

다음의 명령어로 명령어 정보 확인

notion image

참고

프로세스 목록을 살펴보면 lsass.exe가 두번 포착되는데 lsass.exe 개수는 1개여야 하며, 경로는 C:\Windows\System32\lsass.exe이다

https://www.sans.org/posters/hunt-evil/

notion image

정답

lsass.exe

Q3. What was the suspicious process running on the system? (Format : name.extension)

아래의 명령어로 dmp 파일 생성

notion image

notion image

pestudio로 덤프 파일 확인

notion image

정답

winPEAS.exe

Q4. Which User Account was compromised? Format (DomainName/USERNAME)

아래의 명령어로 session 확인

notion image

notion image

notion image

정답

MSEDGEWIN10/CyberJunkie

Q5. What is the compromised user password?

아래의 명령어로 NTLM 해쉬값 확인

notion image

NTLM 복호화

https://crackstation.net/

notion image

정답

password123

참고

Getting Started to LetsDefend

Register to soc analyst/incident response training platform

Getting Started to LetsDefend

https://app.letsdefend.io/challenge/memory-analysis

Getting Started to LetsDefend

PREVRansomeware Attack (Redline)

NEXTNTFS VBR 파티션 복구