Eugene Moore

/home

/posts

/about

Reveal

Endpoint Forensics (Volatility3)

- 3 min

Scenario:

As a cybersecurity analyst for a leading financial institution, an alert from your SIEM solution has flagged unusual activity on an internal workstation. Given the sensitive financial data at risk, immediate action is required to prevent potential breaches.

Your task is to delve into the provided memory dump from the compromised system. You need to identify basic Indicators of Compromise (IOCs) and determine the extent of the intrusion. Investigate the malicious commands or files executed in the environment, and report your findings in detail to aid in remediation and enhance future defenses.

Q1. Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

  • Using the plugin windows.malfind, we can see that PID 3692, running as powershell.exe, is identified as the malicious process..

images

  • Answer : powershell.exe

Q2. Knowing the parent process ID (PID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

  • To find the parent PID of the malicious process, use the plugin windows.pslist, which lists all of the current processes. Pipe the output to Select-String to search for the PID 3692, which we identified as the malicious process. Depending on your machine, you can use grep instead of Select-String. In this case, I am using PowerShell.

images

  • Answer : 4120

Q3. Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload??

  • Since powershell.exe has been identified as malicious, we can check if any commands have been executed from it. To do this, use the windows.cmdline plugin and pipe the output to Select-String “3692” to filter commands related to the malicious process.

images

-In this case, we find that powershell.exe has executed a file on the remote server. That file, 3435.dll, is used to execute the second-stage payload.

  • Answer : 3435.dll

Q4. Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

  • Using the command information from Q3, we see that the command attempts to map a network drive to the remote address.

  • The remote address is \45.9.74.32@8888\davwwwroot*. Here, we have an IP address, Port and a directory name, which is davwwwroot.

  • Answer : davwwwroot

Q5. What is the MITRE sub-technique ID used by the malware to execute the second-stage payload?

  • Looking at the command, the attacker is using rundll32.exe to execute the malicious code.

  • Taken from MITRE ATT&CK: “Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe instead of executing directly (i.e., Shared Modules) may avoid triggering security tools that may not monitor the execution of the rundll32.exe process because of allowlists or false positives from normal operations.”

images

  • This falls under the MITRE ATT&CK technique System Binary Proxy Execution: Rundll32.

  • Answer : T1218.011

Q6. Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

  • Using the plugin windows.getsids with the process ID 3692, we can find this answer easily. The windows.getsids plugin is used to retrieve the Security Identifiers (SIDs) associated with processes, which include the username and other account information.

images

  • Answer : Elon

Q7. Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

  • There are multiple ways to find this answer. Referring to the command from previous questions, we have an IP address. Using that IP address (45.9.74.32) and checking it on VirusTotal reveals that this IP has activity related to StrelaStealer.

images

  • Answer: StrelaStealer