Memory Dump

Extract "text" content from a running notepad.exe process

#Create a memory.dmp
procdump.exe -w <process> -accepteula

#Identify memory profile
volatility -f memory.dmp imageinfo

#' -e l ' switch is needed because notepad stores text in 16-bit little-endian
strings -e l ./2796.dmp | grep "Some"

Endpoint Analysis


Start with Network Connections

Looking at shares

  • Attackers like to have staging systems on the inside of a network

  • Pull files to one location and then exfil out

  • Host system opening up shares is not a good idea. Unlike a file share server. Use a host firewall to deny new shares being created.

net use
net session

Last updated