LetsDefend challenge Memory Analysis writeup

Md. Mahim Bin Firoj
3 min readMay 19, 2023

--

In this writeup i will walk you through how this challenge is solved with proper explanation.

We will solve the challenge using volatility 3 so here is process of installing it. I am using sansforensics workstation to install it.

1. git clone https://github.com/volatilityfoundation/volatility3.git

2. cd volatility3

3. sudo python setup.py install

4. python3 vol.py --h

5. /usr/bin/python3 -m pip install --upgrade pip

6. pip3 install -r requirements.txt

Q1. What was the date and time when Memory from the compromised endpoint was acquired?

Go to the volatility3 directory and run the above command displayed in the above screenshot. The plugin you should use for this question is windows.info

Q2. What was the suspicious process running on the system? (Format : name.extension)

In order to solve this question you need to know what is normal in the windows process. How many normal instances of processes should present on a windows system. You can follow the below link to get started.

I am explaining how to catch malicious process from this memory dump. Assume that we have already know what are the normal processes and how many of them should be present in windows system.

When we run the windows.pslist plugin then we notice that there are two instances of lsass.exe process whereas it should only be one. So its suspicious.

This is the legitimate one. How i am saying that? Because the legitimate one always comes from wininit.exe

wininit.exe process id is 500 and lsass.exe parent process id is also 500, so its legitimate.

Now lets have a look on the malicious one.

Here we can see that malicious lsass.exe’s parent process is 3996 and 3996 is the process id of explorer.exe that means attacker already had access on the system and execute that .exe directly. When you execute anything by double clicking it, then its parent process should be explorer.exe

So, here the answer is lsass.exe

Q3. Analyze and find the malicious tool running on the system by the attacker (Format name.extension)

To answer this question, you should dump the process, take the hash of it, and upload it to virustotal to check what is the actual name of the process that attacker executed.

dumping malicious process
hash of the malicious process

So the answer is winpeas.exe

Q4. Which User Account was compromised? Format (DomainName/USERNAME)

In order to answer this question you need to use windows.sessions plugin.

This is the answer.

Q5. What is the compromised user password?

You need to use windows.hashdump plugin to answer this.

This is the answer.

Hope you like it.

Please subscribe below. Thanks.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--