Memory Dump

• Reference: https://www.andreafortuna.org/2018/03/02/volatility-tips-extract-text-typed-in-a-notepad-window-from-a-windows-memory-dump/

Extract "text" content from a running notepad.exe process

• Download procdump.exe & volatility.

#Create a memory.dmp
procdump.exe -w <process> -accepteula

#Identify memory profile
volatility -f memory.dmp imageinfo

#' -e l ' switch is needed because notepad stores text in 16-bit little-endian
strings -e l ./2796.dmp | grep "Some"

Endpoint Analysis

Windows

Start with Network Connections

Looking at shares

• Attackers like to have staging systems on the inside of a network

• Pull files to one location and then exfil out

• Host system opening up shares is not a good idea. Unlike a file share server. Use a host firewall to deny new shares being created.

netview
netstat
net use
net session