grrcon - you sneakymonkey!

grrcon

A collection of 4 posts

GrrCon 2017 DFIR write up - Level 1

GrrCon 2017 DFIR write up - Level 1

#GrrCon 2017 #DFIR #CTF challenge. Several host images and memory dumps need to be analysed and investigated. Submit IOCs as you progress...

GrrCon 2016 DFIR Write up - Part 3

GrrCon 2016 DFIR Write up - Part 3

Level 3 Question 16) What is the maldoc md5hash? Start by using FILESCAN and searching for documents .rtf, .doc, .docx etc... root@ubuntu:~# python volatility/vol.py -f /mnt/hgfs/Shared/Part3/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 filescan > files.txt root@ubuntu:~# more part3/files.txt | grep .rtf 0x000000007d6b33c0 1 0

GrrCon 2016 DFIR Write up - Part 2

GrrCon 2016 DFIR Write up - Part 2

Level 2 Question 5) What is the password the malware used to enable remote access to the system? From the community Volatility section, download and call the 'editbox' plugin. Also, I didn't know, this is now included by default :) ./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 --plugins=/volplugins/

GrrCon 2016 DFIR Write up - Part 1

GrrCon 2016 DFIR Write up - Part 1

CTF HOMEPAGE https://ir.e-corp.biz/home To start off, get Volatility or a prebuilt vm like SANS SIFT Workstation, they've recommended using the provided Security Onion image. Also, check out the community plugin repo for Volatility. Download CTF files - specifically NSM.zip ** SPOILER ALERT ** Level 1 Question 1)