volatility3のプロファイル volatility3でWindowsのメモリ解析を行う場合には，解析時にインターネットから自動的に必要なプロファイルがダウンロードされる． Linuxの場合はメモリに合わせたプロファイルを作成する必要がある． Linuxの場合には，基本的に…

Volatility(https://github.com/volatilityfoundation/volatility3)はメモリダンプを解析するためのフレームワークである． 元々python2で書かれたvolatilit2が主流であったが，2019年にpython3に対応したvolatility3がリリースされ， 現在はvolatility3への…

LetsDefend Challenge Malware Analysis: Malicious Doc What type of exploit is running as a result of the relevant file running on the victim machine? What is the relevant Exploit CVE code obtained as a result of the analysis? What is the na…

LetsDefend Challenge Malware Analysis: Malicious VBA The document initiates the download of a payload after the execution, can you tell what website is hosting it? What is the filename of the payload (include the extension)? What method is…

LetsDefend Challenge Malware Analysis: Remote Working What is the date the file was created? With what name is the file detected by Bitdefender antivirus? How many files are dropped on the disk? What is the sha-256 hash of the file with em…

LetsDefend Challenge Malware Analysis: Presentation As a Malware What was the general name / category of the malicious file in the analyzed ppt file? Which of the url addresses it communicates with has been detected as harmful by sandboxes…

LetsDefend Challenge DFIR: Memory Analysis What was the date and time when Memory from the compromised endpoint was acquired? What was the suspicious process running on the system? (Format : name.extension) Analyze and find the malicious t…

LetsDefend Challenge DFIR: IcedID Malware Family What is the sha256 hash for the malspam attachment? What is the child process command line when the user enabled the Macro? What is the HTML Application file's sha256 hash from previous ques…

今回のアラート Start Playbook! Determine Suspicious Activity What Is Suspicious Activity? Who Performed the Activity? Add Artifacts End appendix 今回のアラート SOC164 - Suspicious Mshta Behavior Low reputation hta file executed via mshta.e…

Details playbook Connect Machine Verify Determine whether alert was TP or FP Choose Incident Type What is the initial access method used in the attack? Determines Scope of Threat/Risk to the Organization What is the persistence method used…