Memory Analysis (Volatility)

Q1. What was the date and time when Memory from the compromised endpoint was acquired?


python vol.py -f ${MEMORY_PATH} windows.info

정답

2022-07-26 18:16:32

Q2. What was the suspicious process running on the system? (Format : name.extension)


python vol.py -f ${MEMORY_PATH} windows.pslist 
python vol.py -f ${MEMORY_PATH} windows.psscan
python vol.py -f ${MEMORY_PATH} windows.pstree


python vol.py -f ${MEMORY_PATH} windows.cmdline

프로세스 목록을 살펴보면 lsass.exe가 두번 포착되는데 lsass.exe 개수는 1개여야 하며, 경로는 C:\Windows\System32\lsass.exe이다

정답

lsass.exe

Q3. What was the suspicious process running on the system? (Format : name.extension)


python vol.py -f ${MEMORY_PATH} windows.pslist --pid 7592 --dump
python vol.py -f ${MEMORY_PATH} windows.dumpfiles --pid 7592 # capstone 설치 필요

정답

winPEAS.exe

Q4. Which User Account was compromised? Format (DomainName/USERNAME)


python vol.py -f ${MEMORY_PATH} windows.sessions

정답

MSEDGEWIN10/CyberJunkie

Q5. What is the compromised user password?


python vol.py -f ${MEMORY_PATH} windows.hashdump # pycryptodome 설치 필요

정답

password123