It's been a while since I last did one of the CyberDefenders challenges so when I saw they published a new forensics challenge I had to jump on it and learn new stuff. I had an hour to spare for lunch but didn't't want to eat, so I spent it working on the challenge instead.
One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
I will include the command I used to solve the questions but not the answers, that part you should figure on your own, so you can have some fun.
Questions
1. What is the SHA1 hash of triage.mem (memory dump)?
Pretty straightforward question. Extract the memory image and run the following command to get the file SHA1 hash.
sha1sum Triage-Memory.mem2. What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
Volatility has an option that provides you with image information, including possible profiles. Run the command, and you would get the profile suggestions.
./volatility -f Triage-Memory.mem imageinfo3. What was the process ID of notepad.exe?
To get a list of processes and their PIDs, use the pslist option.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 pslist4. Name the child process of wscript.exe?
To get the full tree of processes – including child processes – use the pstree option.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 pstree5. What was the IP address of the machine at the time the RAM dump was created?
To get the full list of network connections – including IP addresses – use the netscan option.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 netscan6. Based on the answer regarding the infected PID, can you determine the IP of the attacker?
The answer to this question can be found in the output from the previous command.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 netscan7. How many processes are associated with VCRUNTIME140.dll?
Use the dlllist option to get a list of all loaded DLL files (tip: pipe it into a file) and look for the DLL file and count the processes associated with it.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 dlllist8. What is the md5 hash of the potential malware on the system?
We know the name of the suspicious file, and it's PID. Use the following command to dump the file and then run md5sum to get the md5 hash.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 procdump -D dump/ -p 3496
md5hash filename9. What is the LM hash of Bob's account?
First run the tool with the hivelist option to get a list of registry memory mapping.
./volatility hivelist -f Triage-Memory.mem --profile=Win7SP1x64Find the virtual address for both SYSTEM and SAM, then run the following command to get a list of accounts and their hashes:
/volatility hashdump -f Triage-Memory.mem --profile=Win7SP1x64 -y 0xfffff8a000024010 -s 0xfffff8a000e6601010. What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt11. What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt12. There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 cmdline13. An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)
Use the shimcache option to get a full list of all executed applications and execution times, then look up the time mentioned in the question to find the answer.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 shimcache> shimcache.txt14. What was written in notepad.exe at the time when the memory dump was captured?
We know the PID of notepad.exe, use the memdump to dump the process memory then use strings or a hexeditor to look through the data, you should find the flag quite easily.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 memdump --pid=303215. What is the short name of the file at file record 59045?
This question stumped me for some time and while researching on Google I found a write-up from a DEFCON CTF challenge that had the solution.
./volatility -f Triage-Memory.mem --profile=Win7SP1x64 mftparser > mft.txt16. This box was exploited and is running meterpreter. What was the infected PID?
This would be the same PID for the process from question 4.
Links
- DumpMe | CyberDefenders ® | Blue Team CTF Challenges
- https://www.andreafortuna.org/2018/03/02/volatility-tips-extract-text-typed-in-a-notepad-window-from-a-windows-memory-dump/
- https://blog.cyberhacktics.com/carving-files-from-memory-with-volatility/
- https://www.andreafortuna.org/2017/07/03/volatility-my-own-cheatsheet-part-2-processes-and-dlls/
- https://www.andreafortuna.org/2017/07/10/volatility-my-own-cheatsheet-part-3-process-memory/
- https://www.andreafortuna.org/2017/08/21/volatility-my-own-cheatsheet-part-8-filesystem/
- https://book.hacktricks.xyz/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples#command-line
- Write-Up: Memory Forensics in the DEF CON DFIR CTF. | by darkdefender | Medium