Re: [Vol-users] RDP activity in memory
13 Jun
2016
13 Jun
'16
4:28 p.m.
Jarle,
I'd try running bulk_extractor against the memory dump and inspecting the
PCAP that it dumps. I'd also try using yarascan for the IP address with
both the default ASCII and using the --wide for UNICODE.
I'd also use Volatility's strings (AOMF pages 514-516) to run through
translated strings to dig deeper if you haven't already on any other ioc's
like that suspect account you already know about.
Best,
JG
On Thu, Jun 9, 2016 at 6:39 AM, Jarle Thorsen <jarlethorsen(a)gmail.com>
wrote:
I'm analyzing a Vista SP2 system that was
compromised via a Remote Desktop
login (somehow the culprit had access to correct login credentials).
Security.evtx only contains information about this single illegal login
(and there is no indications that the eventlog was cleared)
The strange thing is that carving though memory for network packets (using
CapLoader) I find packets showing RDP traffic to additional IPs, not only
the one found in Security.evtx
Any help in trying to put some contex around these additional IPs found in
memory, using volatility, or traditional disk forensics is highly
appreciated!
(The machine had only been running for about a week before the intrusion,
so anything found in memory should in theory be backed up by information in
eventlog)
Jarle Thorsen
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 2.2 KB)