LetsDefend : Memory Analysis


A Windows Endpoint was recently compromised. Thanks to our cutting-edge EDR/IDS solution we immediately noticed it. The alert was escalated to Tier 2 (Incident Responders) for further investigation. As our Forensics guy, you were given the memory dump of the compromised host. You should continue to investigate.

Obtain the memory file from the zipped folder and use the volatility tool to analyse.  

What was the date and time when Memory from the compromised endpoint was acquired?

Since we know it is a windows based memory analysis we will use windows.info plugin to gain more info on the system. With this command we are able to get the date and time when Memory from the compromised endpoint was acquired.

What was the suspicious process running on the system?

Use the windows.pstree plugin to view the processes of the memory file.

From here we can view the processes with the PID and PPID. To find out suspicious processes we can trace the parent IDs to find legitimate processes. Use the SANS Hunt Evil cheat sheet https://www.sans.org/posters/hunt-evil/ to find out common processes, its parents and the number of instances commonly found.

While going through the pstree list I traced back each PID to its PPID. I noticed that there are two lsass.exe processes running. There should only be one. The lsass.exe process is the child of the wininit.exe process and one of them does not have the same PPID as the winnit.exe PID.

Analyze and find the malicious tool running on the system by the attacker

First let’s dump that suspicious process into binary format.

Drop the binary into Virustotal to find the tool used.

Which User Account was compromised?

We will use the windows.envars plugin to find the information. Use the grep command of the PID to specifically search for the malicious process

At the bottom of the list the domain and user names can be seen.

What is the compromised user password?

To find the password of the compromised user we need to use the hash dump plugin. It is similar to the infamous mimikatz.

Use John the ripper to crack the nthash of the user CyberJunkie.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: