Lab 16: DFIR Memory Forensics with Volatility¶
Chapters: 27 (Digital Forensics), 28 (Advanced Incident Response) Difficulty: 
Expert Estimated Time: 4-5 hours Prerequisites: Lab 12 (DFIR Artifact Analysis), Chapter 27, Chapter 28
Overview¶
In this lab you will:
- Perform deep process analysis on a synthetic memory dump to identify process hollowing, orphan processes, and suspicious parent-child relationships using Volatility
- Extract and analyze network artifacts including active connections, DNS cache entries, and command-and-control (C2) communication patterns from volatile memory
- Detect code injection techniques including DLL injection, reflective DLL loading, and process hollowing through VAD analysis and malfind scanning
- Hunt for rootkit indicators including SSDT hooks, IDT modifications, DKOM-based process hiding, and hidden kernel drivers
- Build a comprehensive forensic timeline by correlating memory artifacts with extracted IOCs, registry keys, and credential material
Synthetic Data Only
All data in this lab is 100% synthetic and fictional. All IP addresses use RFC 5737 (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24) or RFC 1918 (10.0.0.0/8, 172.16.0.0/12) reserved ranges. All hostnames use *.example or *.example.com domains. All credentials are shown as testuser/REDACTED. All hashes are clearly labeled SYNTHETIC and follow fabricated patterns. No real malware, real hosts, real threat actors, or real credentials are referenced. Malware names (SHADOWBYTE, NIGHTCRAWLER) are entirely fictional. This lab is for defensive education only — never use these techniques against systems you do not own.
Relationship to Lab 12
Lab 12 introduced DFIR artifact analysis across filesystem, registry, and log sources. This lab dives deeper into volatile memory forensics — analyzing RAM captures to uncover artifacts that never touch disk. Attackers increasingly operate entirely in memory to evade traditional forensics. Complete Lab 12 first for maximum benefit.
Scenario¶
Incident Brief — NovaCorp Financial
Organization: NovaCorp Financial (fictional) Internal Network: 10.20.0.0/16 SOC SIEM: Sentinel / Splunk hybrid (SYNTHETIC) Domain Controller: 10.20.1.10 (dc01.novacorp.example) Affected Workstation: 10.20.5.42 (ws-fin-042.novacorp.example) — Windows 10 22H2, 16 GB RAM Affected Server: 10.20.3.15 (srv-app-015.novacorp.example) — Windows Server 2022, 32 GB RAM File Server: 10.20.3.20 (srv-files-020.novacorp.example) Threat Actor Designation: PHANTOM-VIPER (fictional APT group) Malware Family: SHADOWBYTE (RAT/backdoor, fictional), NIGHTCRAWLER (rootkit, fictional) Incident Start (estimated): 2026-03-10 09:15 UTC Detection Time: 2026-03-12 14:37 UTC Memory Acquisition Time: 2026-03-12 15:02 UTC Engagement Type: Post-breach memory forensics investigation
Summary: NovaCorp Financial's SOC detected anomalous outbound HTTPS traffic from workstation ws-fin-042 to IP address 198.51.100.47 on port 443. Network flow analysis revealed periodic beaconing at 60-second intervals with jittered timing. EDR telemetry showed svchost.exe spawning cmd.exe processes outside of normal service operations. The IR team acquired full physical memory dumps from the affected workstation (16 GB) and a lateral-movement target server (32 GB) using WinPMEM. Your task is to analyze these memory dumps to determine the full scope of the compromise, identify all malware components, extract IOCs, and reconstruct the attack timeline.
Initial Triage Findings:
- EDR flagged
svchost.exe(PID 4872) with unusual network activity - Proxy logs show connections to
update.novacorp-cdn.exampleresolving to198.51.100.47 - HR reported a suspicious email with an attachment received by user
jdoeon 2026-03-10 - No known malware signatures matched — suspected custom/zero-day tooling
Environment Setup¶
Memory Dump Metadata¶
The following synthetic memory dumps are used throughout this lab. In a real engagement, these would be acquired using tools like WinPMEM, DumpIt, or FTK Imager.
=== MEMORY DUMP #1 — Workstation ===
Filename: ws-fin-042_20260312_1502.raw
Source Host: ws-fin-042.novacorp.example (10.20.5.42)
Acquisition Tool: WinPMEM 4.0
Acquisition Time: 2026-03-12 15:02:33 UTC
Image Size: 16,384 MB (16 GB)
SHA-256: SYNTHETIC-HASH-a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
OS Profile: Win10x64_22H2_19045
Architecture: AMD64
Page Size: 4096
=== MEMORY DUMP #2 — Application Server ===
Filename: srv-app-015_20260312_1518.raw
Source Host: srv-app-015.novacorp.example (10.20.3.15)
Acquisition Tool: WinPMEM 4.0
Acquisition Time: 2026-03-12 15:18:47 UTC
Image Size: 32,768 MB (32 GB)
SHA-256: SYNTHETIC-HASH-b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3
OS Profile: Win2022x64_20348
Architecture: AMD64
Page Size: 4096
Tool Installation¶
# SYNTHETIC — Install Volatility 3
# Analysis Workstation: analyst-ws.novacorp.example (10.20.10.5)
# Clone Volatility 3
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
# Verify installation
python3 vol.py --help
# Download symbol tables (Windows)
mkdir -p volatility3/symbols
cd volatility3/symbols
wget https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
unzip windows.zip
# Verify profile detection
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.info
# Expected output (SYNTHETIC):
# Variable Value
# Kernel Base 0xf8007c600000
# DTB 0x1ad000
# Symbols ntkrnlmp.pdb/SYNTHETIC-GUID
# Is64Bit True
# IsPAE False
# primary layer Intel32e
# KdVersionBlock 0xf8007d21f398
# Major/Minor 15.19045
# MachineType 34404
# KeNumberProcessors 4
# SystemTime 2026-03-12 15:02:33 UTC
# NtBuildLab 19045.1.amd64fre.vb_release.191206-1406
# NtProductType NtProductWinNt
# NtSystemRoot \Device\HarddiskVolume3\Windows
# SYNTHETIC — Install Volatility 2
# Analysis Workstation: analyst-ws.novacorp.example (10.20.10.5)
# Clone Volatility 2
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
pip2 install pycrypto distorm3 yara-python
# Verify installation
python2 vol.py --info | grep "Win10x64"
# Identify profile
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw imageinfo
# Expected output (SYNTHETIC):
# Suggested Profile(s) : Win10x64_19041
# AS Layer1 : SkipDuplicatesASx64 (Kernel AS)
# AS Layer2 : WindowsAMD64PagedMemory (Kernel AS)
# AS Layer3 : FileAddressSpace (/cases/novacorp/ws-fin-042_20260312_1502.raw)
# PAE type : No PAE
# DTB : 0x1ad000
# KDBG : 0xf8007d21f398
# Number of Processors : 4
# Image date and time : 2026-03-12 15:02:33 UTC+0000
# Image local date and time : 2026-03-12 11:02:33 -0400
Case Directory Structure¶
/cases/novacorp/
├── ws-fin-042_20260312_1502.raw # Workstation memory dump
├── srv-app-015_20260312_1518.raw # Server memory dump
├── analysis/
│ ├── process/ # Process analysis output
│ ├── network/ # Network artifact output
│ ├── injection/ # Code injection findings
│ ├── rootkit/ # Rootkit detection output
│ ├── timeline/ # Timeline artifacts
│ └── iocs/ # Extracted IOCs
├── evidence/
│ ├── dumped_files/ # Extracted files from memory
│ ├── registry_hives/ # Dumped registry hives
│ └── screenshots/ # Process memory screenshots
└── reports/
├── findings.md # Analyst findings
└── ioc_report.csv # IOC export
Exercise 1: Process Analysis¶
Objectives¶
- Enumerate all running processes and identify suspicious entries using pslist, pstree, and psxview
- Detect process hollowing by comparing in-memory process images to expected executables
- Identify orphan processes and anomalous parent-child relationships
- Cross-reference process metadata against known-good baselines
1.1 Initial Process Enumeration¶
Begin by listing all processes in the memory dump to establish a baseline view.
# SYNTHETIC — List all processes
# Memory dump: ws-fin-042_20260312_1502.raw
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.pslist
# Expected output (SYNTHETIC — abbreviated):
# PID PPID ImageFileName Offset(V) Threads Handles Sess Wow64 CreateTime ExitTime
# 4 0 System 0xfa8003c4a040 142 - - False 2026-03-10 06:15:22.000000 -
# 104 4 Registry 0xfa8003c4e080 4 - - False 2026-03-10 06:15:18.000000 -
# 392 4 smss.exe 0xfa8003e81300 2 - - False 2026-03-10 06:15:22.000000 -
# 508 500 csrss.exe 0xfa8004128080 13 584 0 False 2026-03-10 06:15:24.000000 -
# 584 500 wininit.exe 0xfa8004195080 1 75 0 False 2026-03-10 06:15:24.000000 -
# 596 588 csrss.exe 0xfa80041a0080 14 594 1 False 2026-03-10 06:15:24.000000 -
# 660 588 winlogon.exe 0xfa80041f5080 3 124 1 False 2026-03-10 06:15:24.000000 -
# 700 584 services.exe 0xfa800420a040 6 238 0 False 2026-03-10 06:15:24.000000 -
# 712 584 lsass.exe 0xfa8004215080 9 763 0 False 2026-03-10 06:15:24.000000 -
# 824 700 svchost.exe 0xfa800428e300 21 467 0 False 2026-03-10 06:15:25.000000 -
# 872 700 svchost.exe 0xfa80042a5080 12 334 0 False 2026-03-10 06:15:25.000000 -
# 968 700 svchost.exe 0xfa80042f0080 18 512 0 False 2026-03-10 06:15:25.000000 -
# 1064 700 svchost.exe 0xfa800434a080 15 401 0 False 2026-03-10 06:15:25.000000 -
# 1156 700 svchost.exe 0xfa80043a2080 8 198 0 False 2026-03-10 06:15:25.000000 -
# 1320 700 svchost.exe 0xfa8004421300 6 172 0 False 2026-03-10 06:15:26.000000 -
# 2104 700 spoolsv.exe 0xfa800459b080 7 126 0 False 2026-03-10 06:15:28.000000 -
# 2248 1064 taskhostw.exe 0xfa8004612080 5 88 1 False 2026-03-10 06:30:11.000000 -
# 2492 2472 explorer.exe 0xfa80046e1080 32 1024 1 False 2026-03-10 06:30:14.000000 -
# 2680 2492 outlook.exe 0xfa8004782080 25 612 1 False 2026-03-10 06:31:02.000000 -
# 3104 2492 chrome.exe 0xfa80048e0080 8 215 1 False 2026-03-10 06:31:15.000000 -
# 3296 3104 chrome.exe 0xfa8004962080 15 342 1 False 2026-03-10 06:31:15.000000 -
# 4520 2492 notepad.exe 0xfa8004b12080 1 52 1 False 2026-03-10 09:14:30.000000 -
# 4872 700 svchost.exe 0xfa8004c3a300 6 147 0 False 2026-03-10 09:17:44.000000 - ◄── SUSPICIOUS
# 4988 4872 cmd.exe 0xfa8004c8e080 1 28 0 False 2026-03-10 09:18:02.000000 - ◄── SUSPICIOUS
# 5016 4988 whoami.exe 0xfa8004ca1040 0 - 0 False 2026-03-10 09:18:03.000000 2026-03-10 09:18:03.000000
# 5104 4988 ipconfig.exe 0xfa8004cc2040 0 - 0 False 2026-03-10 09:18:05.000000 2026-03-10 09:18:05.000000
# 5188 4872 cmd.exe 0xfa8004ce8080 1 28 0 False 2026-03-12 02:15:33.000000 - ◄── SUSPICIOUS
# 5240 5188 net.exe 0xfa8004d0a040 0 - 0 False 2026-03-12 02:15:35.000000 2026-03-12 02:15:36.000000
# 5312 5188 nltest.exe 0xfa8004d2e040 0 - 0 False 2026-03-12 02:15:40.000000 2026-03-12 02:15:40.000000
# 5480 2492 msedge.exe 0xfa8004d8a080 4 112 1 False 2026-03-10 10:42:15.000000 -
Red Flags Identified
Several anomalies are immediately visible in the process listing:
- PID 4872 —
svchost.execreated at09:17:44on 2026-03-10, minutes after the suspected initial compromise at09:15. Legitimatesvchost.exeinstances are created at boot time byservices.exe(PID 700). While PID 4872 does show PPID 700, the creation timestamp is anomalous. - PID 4988, 5188 —
cmd.exespawned bysvchost.exe(PID 4872). Legitimatesvchost.exeshould almost never spawncmd.exe. - Reconnaissance commands —
whoami.exe,ipconfig.exe,net.exe,nltest.exeare classic post-exploitation discovery commands. - Time gap — Recon commands at
09:18(initial access) and again at02:15on 2026-03-12 (two days later) indicate persistent access.
1.2 Process Tree Analysis¶
Visualize the parent-child process hierarchy to detect anomalous relationships.
# SYNTHETIC — Process tree view
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.pstree
# Expected output (SYNTHETIC — suspicious branch highlighted):
# PID PPID ImageFileName Offset(V) Threads Handles Sess Wow64 CreateTime
# 4 0 System 0xfa8003c4a040 142 - - False 2026-03-10 06:15:22
# . 104 4 Registry 0xfa8003c4e080 4 - - False 2026-03-10 06:15:18
# . 392 4 smss.exe 0xfa8003e81300 2 - - False 2026-03-10 06:15:22
# 584 500 wininit.exe 0xfa8004195080 1 75 0 False 2026-03-10 06:15:24
# . 700 584 services.exe 0xfa800420a040 6 238 0 False 2026-03-10 06:15:24
# .. 824 700 svchost.exe 0xfa800428e300 21 467 0 False 2026-03-10 06:15:25
# .. 872 700 svchost.exe 0xfa80042a5080 12 334 0 False 2026-03-10 06:15:25
# .. 968 700 svchost.exe 0xfa80042f0080 18 512 0 False 2026-03-10 06:15:25
# .. 1064 700 svchost.exe 0xfa800434a080 15 401 0 False 2026-03-10 06:15:25
# .. 1156 700 svchost.exe 0xfa80043a2080 8 198 0 False 2026-03-10 06:15:25
# .. 1320 700 svchost.exe 0xfa8004421300 6 172 0 False 2026-03-10 06:15:26
# .. 2104 700 spoolsv.exe 0xfa800459b080 7 126 0 False 2026-03-10 06:15:28
# .. 4872 700 svchost.exe 0xfa8004c3a300 6 147 0 False 2026-03-10 09:17:44 ◄── ANOMALOUS
# ... 4988 4872 cmd.exe 0xfa8004c8e080 1 28 0 False 2026-03-10 09:18:02 ◄── ANOMALOUS
# .... 5016 4988 whoami.exe 0xfa8004ca1040 0 - 0 False 2026-03-10 09:18:03
# .... 5104 4988 ipconfig.exe 0xfa8004cc2040 0 - 0 False 2026-03-10 09:18:05
# ... 5188 4872 cmd.exe 0xfa8004ce8080 1 28 0 False 2026-03-12 02:15:33 ◄── ANOMALOUS
# .... 5240 5188 net.exe 0xfa8004d0a040 0 - 0 False 2026-03-12 02:15:35
# .... 5312 5188 nltest.exe 0xfa8004d2e040 0 - 0 False 2026-03-12 02:15:40
# . 712 584 lsass.exe 0xfa8004215080 9 763 0 False 2026-03-10 06:15:24
# 660 588 winlogon.exe 0xfa80041f5080 3 124 1 False 2026-03-10 06:15:24
# 2492 2472 explorer.exe 0xfa80046e1080 32 1024 1 False 2026-03-10 06:30:14
# . 2680 2492 outlook.exe 0xfa8004782080 25 612 1 False 2026-03-10 06:31:02
# . 3104 2492 chrome.exe 0xfa80048e0080 8 215 1 False 2026-03-10 06:31:15
# .. 3296 3104 chrome.exe 0xfa8004962080 15 342 1 False 2026-03-10 06:31:15
# . 4520 2492 notepad.exe 0xfa8004b12080 1 52 1 False 2026-03-10 09:14:30
# . 5480 2492 msedge.exe 0xfa8004d8a080 4 112 1 False 2026-03-10 10:42:15
1.3 Cross-View Process Detection (psxview)¶
Compare process listings from multiple kernel data structures to detect hidden processes. Processes that appear in one list but not another may be using DKOM (Direct Kernel Object Manipulation) to hide.
# SYNTHETIC — Cross-reference process lists
# Volatility 3 uses separate plugins; combine results manually
# Method 1: PsList (EPROCESS linked list traversal)
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.pslist > /cases/novacorp/analysis/process/pslist.txt
# Method 2: PsScan (pool tag scanning — finds unlinked/terminated processes)
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.psscan > /cases/novacorp/analysis/process/psscan.txt
# Expected ADDITIONAL processes found by psscan but NOT in pslist (SYNTHETIC):
# PID PPID ImageFileName Offset(P) CreateTime ExitTime
# 5552 4872 conhost.exe 0x000000003e4a1040 2026-03-10 09:17:50.000000 - ◄── HIDDEN
# 5620 4872 svchst.exe 0x000000003e512040 2026-03-10 09:17:52.000000 - ◄── HIDDEN (note typo: svchst, not svchost)
# SYNTHETIC — Cross-view detection
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 psxview
# Expected output (SYNTHETIC):
# Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
# 0x000000003e4a1040 conhost.exe 5552 False True True True False False False -
# 0x000000003e512040 svchst.exe 5620 False True True True False False False -
Hidden Processes Discovered
Two processes are hidden from the standard EPROCESS linked list:
- PID 5552 —
conhost.exe— Hidden console host, likely providing terminal access for the attacker. - PID 5620 —
svchst.exe— Note the deliberate typo (missing 'o'). This is NOT a legitimate Windows process. It is a malware binary masquerading assvchost.exe. Parent PID 4872 confirms it was spawned by the suspicioussvchost.exeinstance.
Both processes were unlinked from the EPROCESS doubly-linked list using DKOM, making them invisible to tools that only walk the list (Task Manager, tasklist.exe, standard pslist).
1.4 Process Hollowing Detection¶
Examine the suspicious svchost.exe (PID 4872) for signs of process hollowing — a technique where a legitimate process is started in a suspended state, its memory is unmapped, and malicious code is written in its place.
# SYNTHETIC — Dump the process executable for PID 4872
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.dumpfiles --pid 4872
# Expected output (SYNTHETIC):
# Cache FileObject FileName Result
# DataSectionObject 0xfa8004c3b520 svchost.exe dumped (file.0xfa8004c3b520.0xfa8004c3a300.DataSectionObject.svchost.exe.dat)
# ImageSectionObject 0xfa8004c3b520 svchost.exe dumped (file.0xfa8004c3b520.0xfa8004c3a300.ImageSectionObject.svchost.exe.img)
# Compare the PE header of the dumped image vs legitimate svchost.exe
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.vadinfo --pid 4872
# Key VAD entry for the main executable (SYNTHETIC):
# VAD node 0xfa8004c3c2a0
# Start 0x00400000
# End 0x0041ffff
# Tag VadS
# Flags CommitCharge: 32, Protection: PAGE_EXECUTE_READWRITE ◄── SUSPICIOUS
# FileObject NONE ◄── SUSPICIOUS (should reference svchost.exe)
# SYNTHETIC — Dump process executable
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 procdump -p 4872 -D /cases/novacorp/evidence/dumped_files/
# Compare PE compilation timestamp
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 verinfo -p 4872
Process Hollowing Confirmed
The VAD analysis of PID 4872 reveals two critical indicators of process hollowing:
PAGE_EXECUTE_READWRITEprotection — The main executable region at0x00400000has RWX permissions. Legitimatesvchost.exeloads withPAGE_EXECUTE_READ(RX). The writable permission indicates the memory was remapped with new content.- Missing FileObject — The VAD entry for the executable image has no associated file object. Legitimate processes maintain a reference to their on-disk binary. The absence indicates the original mapping was destroyed and replaced.
Conclusion: PID 4872 was started as a legitimate svchost.exe, suspended, hollowed, and injected with the SHADOWBYTE RAT payload. The process maintains the appearance of a legitimate Windows service but executes entirely different code.
1.5 Service Verification¶
Verify whether PID 4872 is registered as a legitimate Windows service.
# SYNTHETIC — List services and their associated PIDs
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.svcscan
# Expected output for legitimate svchost.exe instances (SYNTHETIC — abbreviated):
# Offset Order PID Start State Type Name Display
# 0xfa800428f100 15 824 2 Running Share DcomLaunch DCOM Server Process Launcher
# 0xfa80042a6100 22 872 2 Running Share RpcSs Remote Procedure Call (RPC)
# 0xfa80042f1100 28 968 2 Running Share Schedule Task Scheduler
# 0xfa800434b100 33 1064 2 Running Share Themes Themes
# 0xfa80043a3100 41 1156 2 Running Share wuauserv Windows Update
# 0xfa8004422100 47 1320 2 Running Share LanmanWorkstation Workstation
#
# NOTE: PID 4872 does NOT appear in the service control manager database. ◄── CONFIRMED MALICIOUS
Exercise 1 Checkpoint
At this point you should have identified:
- PID 4872 (
svchost.exe) as a process-hollowed SHADOWBYTE RAT instance - PID 5552 (
conhost.exe) and PID 5620 (svchst.exe) as DKOM-hidden processes - Reconnaissance commands (
whoami,ipconfig,net,nltest) spawned by the malicious svchost.exe - Two distinct activity windows: initial access (2026-03-10 09:17) and follow-up recon (2026-03-12 02:15)
- Process hollowing indicators: RWX VAD permissions and missing FileObject
- PID 4872 has no registered service entry, confirming it is not a legitimate svchost.exe
Key Finding: The attacker used process hollowing (T1055.012) to inject SHADOWBYTE into a svchost.exe process and DKOM (T1014) to hide two additional processes from standard enumeration.
1.6 Command-Line Argument Analysis¶
Extract command-line arguments for all suspicious processes to understand what commands the attacker executed.
# SYNTHETIC — Extract command line arguments
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.cmdline
# Expected output (SYNTHETIC — suspicious entries):
# PID Process Args
# 824 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p
# 872 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
# 968 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p
# 1064 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s Themes
# 1156 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
# 1320 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService -p
# 4872 svchost.exe C:\Windows\system32\svchost.exe ◄── NO -k FLAG = SUSPICIOUS
# 4988 cmd.exe cmd.exe /c "whoami && ipconfig /all" ◄── RECON CHAIN
# 5016 whoami.exe whoami ◄── RECON
# 5104 ipconfig.exe ipconfig /all ◄── RECON
# 5188 cmd.exe cmd.exe /c "net group \"Domain Admins\" /domain && nltest /dclist:novacorp.example" ◄── DOMAIN RECON
# 5240 net.exe net group "Domain Admins" /domain ◄── ENUMERATE DOMAIN ADMINS
# 5312 nltest.exe nltest /dclist:novacorp.example ◄── DC ENUMERATION
# 5620 svchst.exe C:\ProgramData\NovaCorp\svchst.exe --mode service ◄── NIGHTCRAWLER
Command-Line Analysis
Critical observations from the command-line data:
- All legitimate
svchost.exeinstances include the-kflag followed by a service group name (e.g.,-k DcomLaunch). PID 4872 has no-kflag, which is a definitive indicator of a non-legitimate instance. - Chained reconnaissance commands — The attacker used
cmd.exe /cwith&&to chain multiple discovery commands in a single execution, reducing the number of process creation events. - Domain Admin enumeration — The
net group "Domain Admins" /domaincommand specifically targets privileged accounts, indicating the attacker is mapping high-value targets for privilege escalation. - DC enumeration — The
nltest /dclist:novacorp.examplecommand maps all domain controllers, useful for planning Kerberoasting or DCSync attacks. - NIGHTCRAWLER launch flag — PID 5620 (
svchst.exe) was started with--mode service, a custom flag used by the NIGHTCRAWLER toolkit.
1.7 DLL List Comparison¶
Compare loaded DLLs between the suspicious svchost.exe and a legitimate instance to identify anomalies.
# SYNTHETIC — DLL list for legitimate svchost.exe (PID 824)
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.dlllist --pid 824
# Expected output (SYNTHETIC — abbreviated):
# PID Base Size Name Path
# 824 0x7ff7a0a00000 0x14000 svchost.exe \Windows\System32\svchost.exe
# 824 0x7ff600000000 0x1f7000 ntdll.dll \Windows\System32\ntdll.dll
# 824 0x7ff5fe800000 0x180000 kernel32.dll \Windows\System32\kernel32.dll
# 824 0x7ff5ff000000 0x1c0000 KERNELBASE.dll \Windows\System32\KERNELBASE.dll
# 824 0x7ff5fdc00000 0x8f000 sechost.dll \Windows\System32\sechost.dll
# 824 0x7ff5fd800000 0xa7000 rpcrt4.dll \Windows\System32\rpcrt4.dll
# 824 0x7ff5fc200000 0x25000 combase.dll \Windows\System32\combase.dll
# (17 DLLs total — all from \Windows\System32\)
# DLL list for SUSPICIOUS svchost.exe (PID 4872)
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.dlllist --pid 4872
# Expected output (SYNTHETIC — abbreviated):
# PID Base Size Name Path
# 4872 0x7ff7a0a00000 0x14000 svchost.exe \Windows\System32\svchost.exe ◄── Original EXE still in PEB
# 4872 0x7ff600000000 0x1f7000 ntdll.dll \Windows\System32\ntdll.dll
# 4872 0x7ff5fe800000 0x180000 kernel32.dll \Windows\System32\kernel32.dll
# 4872 0x7ff5ff000000 0x1c0000 KERNELBASE.dll \Windows\System32\KERNELBASE.dll
# 4872 0x7ff5fdc00000 0x8f000 ws2_32.dll \Windows\System32\ws2_32.dll ◄── NETWORK: not in legitimate
# 4872 0x7ff5fd400000 0x47000 wininet.dll \Windows\System32\wininet.dll ◄── HTTP: not in legitimate
# 4872 0x7ff5fd000000 0x38000 winhttp.dll \Windows\System32\winhttp.dll ◄── HTTP: not in legitimate
# 4872 0x7ff5fcc00000 0x1a000 crypt32.dll \Windows\System32\crypt32.dll ◄── CRYPTO: not in legitimate
# 4872 0x7ff5fc800000 0x12000 advapi32.dll \Windows\System32\advapi32.dll
# (12 DLLs total — includes networking and crypto DLLs not present in legitimate svchost)
DLL Anomalies
The suspicious PID 4872 loads ws2_32.dll (Winsock), wininet.dll (Internet functions), winhttp.dll (HTTP client), and crypt32.dll (cryptographic functions). These are not typically loaded by a basic svchost.exe service host and indicate network communication and encrypted data handling — consistent with a C2 RAT.
1.8 Handle Analysis¶
Examine open handles to discover files, registry keys, mutexes, and other objects accessed by the malicious processes.
# SYNTHETIC — List handles for PID 4872
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.handles --pid 4872
# Expected output (SYNTHETIC — key entries):
# PID Handle Type GrantedAccess Name
# 4872 0x004 Event 0x1f0003 -
# 4872 0x008 Directory 0x0003 \KnownDlls
# 4872 0x00c File 0x100020 \Device\HarddiskVolume3\ProgramData\NovaCorp ◄── STAGING DIR
# 4872 0x014 File 0x12019f \Device\HarddiskVolume3\ProgramData\NovaCorp\config.dat ◄── CONFIG FILE
# 4872 0x018 Key 0x20019 MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ◄── PERSISTENCE KEY
# 4872 0x020 Mutant 0x1f0001 \BaseNamedObjects\Global\SHADOWBYTE-NOVACORP-2026-Q1 ◄── CAMPAIGN MUTEX
# 4872 0x028 Section 0x4 \BaseNamedObjects\__shadowbyte_shm__ ◄── SHARED MEMORY
# 4872 0x030 File 0x100080 \Device\NamedPipe\shadowbyte_cred ◄── IPC PIPE
# 4872 0x038 Event 0x1f0003 \BaseNamedObjects\SHADOWBYTE_BEACON_TIMER ◄── BEACON TIMER
Handle Analysis Findings
The handle list confirms several findings from earlier exercises and reveals new artifacts:
- Campaign Mutex (
SHADOWBYTE-NOVACORP-2026-Q1) — Prevents multiple instances of the RAT from running. The mutex name contains the campaign ID found in the decrypted configuration. - Shared Memory Section (
__shadowbyte_shm__) — Used for high-speed data transfer between the RAT core and its modules without going through named pipes. - Beacon Timer Event (
SHADOWBYTE_BEACON_TIMER) — Named event object used to synchronize the C2 beaconing interval. - Registry Key Handle — Active handle to the Run key confirms the RAT monitors its own persistence.
Exercise 2: Network Forensics¶
Objectives¶
- Extract active network connections and listening sockets from memory
- Identify C2 communication channels using connection metadata
- Analyze DNS cache entries to discover attacker infrastructure
- Correlate network artifacts with suspicious processes identified in Exercise 1
2.1 Network Connection Analysis¶
# SYNTHETIC — Enumerate network connections
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.netscan
# Expected output (SYNTHETIC):
# Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
# 0x3e201420 TCPv4 10.20.5.42 49812 198.51.100.47 443 ESTABLISHED 4872 svchost.exe 2026-03-12 14:58:12 ◄── C2
# 0x3e215840 TCPv4 10.20.5.42 49815 198.51.100.47 443 ESTABLISHED 4872 svchost.exe 2026-03-12 15:00:33 ◄── C2
# 0x3e230100 TCPv4 10.20.5.42 50112 198.51.100.23 8443 ESTABLISHED 5620 svchst.exe 2026-03-12 14:30:05 ◄── SECONDARY C2
# 0x3e248300 TCPv4 10.20.5.42 51004 10.20.3.15 445 ESTABLISHED 5620 svchst.exe 2026-03-12 02:16:10 ◄── LATERAL MOVEMENT
# 0x3e260500 TCPv4 10.20.5.42 51008 10.20.3.20 445 ESTABLISHED 5620 svchst.exe 2026-03-12 02:20:45 ◄── LATERAL MOVEMENT
# 0x3e280100 TCPv4 10.20.5.42 49668 10.20.1.10 88 TIME_WAIT 712 lsass.exe 2026-03-12 02:15:32
# 0x3e290400 TCPv4 10.20.5.42 49671 10.20.1.10 389 TIME_WAIT 4988 cmd.exe 2026-03-12 02:15:38
# 0x3e2a0200 TCPv4 10.20.5.42 49801 203.0.113.5 80 CLOSE_WAIT 3104 chrome.exe 2026-03-10 09:14:55 ◄── INITIAL DOWNLOAD
# 0x3e100300 UDPv4 10.20.5.42 5353 * * - 968 svchost.exe 2026-03-10 06:15:25
# 0x3e110200 UDPv4 10.20.5.42 137 * * - 4 System 2026-03-10 06:15:22
# 0x3e120400 TCPv4 0.0.0.0 49670 0.0.0.0 0 LISTENING 4872 svchost.exe 2026-03-10 09:17:46 ◄── BACKDOOR LISTENER
# 0x3e130100 TCPv4 10.20.5.42 139 0.0.0.0 0 LISTENING 4 System 2026-03-10 06:15:22
# 0x3e140200 TCPv4 10.20.5.42 445 0.0.0.0 0 LISTENING 4 System 2026-03-10 06:15:22
Network Indicators of Compromise
The network scan reveals several critical findings:
| Connection | Analysis |
|---|---|
PID 4872 → 198.51.100.47:443 | Primary C2 channel. Two established HTTPS connections from the hollowed svchost.exe to the external C2 server. The 60-second beaconing interval matches SOC observations. |
PID 5620 → 198.51.100.23:8443 | Secondary C2 channel. The hidden svchst.exe process connects to a different C2 IP on a non-standard port. This provides redundancy if the primary channel is blocked. |
PID 5620 → 10.20.3.15:445 | Lateral movement to application server. SMB connection from the hidden process to srv-app-015, confirming the server was targeted. |
PID 5620 → 10.20.3.20:445 | Lateral movement to file server. SMB connection to srv-files-020, indicating data staging or exfiltration preparation. |
PID 3104 → 203.0.113.5:80 | Initial payload download. Chrome connection to an external IP at 09:14:55, just before the initial compromise at 09:15. This is likely the drive-by download or phishing payload delivery. |
| PID 4872 LISTENING on 49670 | Local backdoor listener. The hollowed svchost.exe opened a listening port, likely for reverse shell access or additional tool deployment. |
PID 4988 → 10.20.1.10:389 | LDAP query to domain controller. The cmd.exe process spawned by the malicious svchost queried the DC, consistent with nltest domain reconnaissance. |
2.2 DNS Cache Extraction¶
Extract the DNS resolver cache from memory to identify domains queried by the attacker.
# SYNTHETIC — Extract DNS cache (Windows DNS Client service cache in memory)
# Volatility 3 does not have a built-in DNS cache plugin; extract from svchost.exe hosting Dnscache
# PID 968 hosts the DNS Client service
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.vadyarascan \
--pid 968 --yara-rules "rule dns { strings: $a = /[a-z0-9\-]+\.(example|example\.com)/ condition: $a }"
# SYNTHETIC — Reconstructed DNS cache entries from memory strings analysis
# Method: strings + grep on memory dump, filtered for resolution patterns
# Timestamp Query Response TTL
# 2026-03-10 09:14:50 downloads.update-service.example 203.0.113.5 300 ◄── PAYLOAD DELIVERY
# 2026-03-10 09:17:30 update.novacorp-cdn.example 198.51.100.47 3600 ◄── PRIMARY C2
# 2026-03-10 09:17:35 telemetry.novacorp-cdn.example 198.51.100.23 3600 ◄── SECONDARY C2
# 2026-03-10 06:30:15 outlook.office365.example 192.0.2.100 300 ◄── LEGITIMATE
# 2026-03-10 06:31:10 www.google.example 192.0.2.200 300 ◄── LEGITIMATE
# 2026-03-12 02:15:30 dc01.novacorp.example 10.20.1.10 1200 ◄── LEGITIMATE (internal)
# 2026-03-12 02:16:05 srv-app-015.novacorp.example 10.20.3.15 1200 ◄── LATERAL MOVEMENT TARGET
# 2026-03-12 02:20:40 srv-files-020.novacorp.example 10.20.3.20 1200 ◄── LATERAL MOVEMENT TARGET
# 2026-03-12 14:25:00 exfil-drop.phantom-viper.example 198.51.100.99 60 ◄── EXFILTRATION STAGING
Domain Analysis
The attacker used domains designed to blend with legitimate NovaCorp infrastructure:
update.novacorp-cdn.example— Mimics a content delivery network for updatestelemetry.novacorp-cdn.example— Mimics telemetry collectionexfil-drop.phantom-viper.example— Exfiltration staging domain (less OPSEC-conscious)downloads.update-service.example— Initial payload delivery domain
These domains all resolve to RFC 5737 documentation-range IPs, confirming they are synthetic.
2.3 Network Artifact Correlation¶
Build a connection map linking processes, network connections, and DNS resolutions.
SYNTHETIC — Network Artifact Correlation Map
┌──────────────────────────────────────────────────┐
│ EXTERNAL INFRASTRUCTURE │
│ │
│ 203.0.113.5 198.51.100.47 │
│ (Payload Delivery) (Primary C2) │
│ │
│ 198.51.100.23 198.51.100.99 │
│ (Secondary C2) (Exfil Staging) │
└─────┬──────────────────┬───────────┬────────────┘
│ │ │
┌─────▼─────┐ ┌──────▼─────┐ │
│ chrome.exe│ │svchost.exe │ │
│ PID 3104 │ │ PID 4872 │ │
│ (download)│ │ (C2 beacon)│ │
└───────────┘ └──────┬─────┘ │
│ │
┌──────▼──────┐ │
│ svchst.exe │◄──┘
│ PID 5620 │
│ (hidden) │
└──┬───────┬──┘
│ │
┌──────────▼┐ ┌──▼──────────┐
│10.20.3.15 │ │10.20.3.20 │
│srv-app-015│ │srv-files-020│
│(lateral) │ │(lateral) │
└───────────┘ └─────────────┘
Exercise 2 Checkpoint
At this point you should have:
- Identified two C2 channels: primary (
198.51.100.47:443) and secondary (198.51.100.23:8443) - Found the initial payload download connection (
203.0.113.5:80) - Discovered lateral movement via SMB to
srv-app-015(10.20.3.15) andsrv-files-020(10.20.3.20) - Identified a local backdoor listener on port 49670
- Extracted DNS cache entries revealing attacker domain infrastructure
- Built a network correlation map connecting processes to infrastructure
- Identified an exfiltration staging domain (
exfil-drop.phantom-viper.example)
Key Finding: The attacker operates a dual-C2 architecture with primary and secondary channels for redundancy. Lateral movement was conducted over SMB (port 445) to at least two internal servers.
Exercise 3: Code Injection Detection¶
Objectives¶
- Use malfind to detect injected code in process memory
- Analyze Virtual Address Descriptors (VADs) for suspicious memory regions
- Identify DLL injection and reflective DLL loading techniques
- Extract injected payloads for offline analysis
3.1 Malfind Scan¶
The malfind plugin identifies memory regions with characteristics of injected code: executable permissions, no associated file mapping, and suspicious content (e.g., PE headers, shellcode patterns).
# SYNTHETIC — Scan for injected code
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.malfind
# Expected output (SYNTHETIC):
# PID Process Start VPN End VPN Tag Protection Hexdump / Disassembly
#
# 4872 svchost.exe 0x00400000 0x0041ffff VadS PAGE_EXECUTE_READWRITE
# 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
# b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
# 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................
# ◄── PE HEADER (MZ magic bytes) in RWX region — PROCESS HOLLOWING
#
# 4872 svchost.exe 0x02a10000 0x02a1ffff VadS PAGE_EXECUTE_READWRITE
# fc 48 83 e4 f0 48 31 c9 48 81 ec 00 10 00 00 48 .H...H1.H......H
# 8d 05 2f 00 00 00 48 89 45 f8 48 b9 01 00 00 00 ..../..H.E.H....
# 00 00 00 00 48 83 c1 68 51 48 8d 0d 1e 00 00 00 ....H..hQH......
# 48 83 c1 05 ff d1 48 89 45 e0 48 83 ec 20 48 8d H.....H.E.H.. H.
# ◄── SHELLCODE — x64 API-hashing stub (SYNTHETIC, non-functional)
#
# 712 lsass.exe 0x03f50000 0x03f6ffff VadS PAGE_EXECUTE_READWRITE
# 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
# b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
# 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
# ◄── PE HEADER in lsass.exe memory — DLL INJECTION (credential harvesting module)
#
# 5620 svchst.exe 0x00400000 0x0042ffff VadS PAGE_EXECUTE_READWRITE
# 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
# b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
# 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 ................
# ◄── Hidden process with PE in RWX memory — NIGHTCRAWLER rootkit component
# SYNTHETIC — Malfind scan
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 malfind -p 4872
# Dump injected regions
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 malfind -p 4872 -D /cases/novacorp/evidence/dumped_files/
3.2 VAD (Virtual Address Descriptor) Analysis¶
Examine the full VAD tree for the malicious processes to understand their memory layout.
# SYNTHETIC — Full VAD tree for PID 4872
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.vadinfo --pid 4872
# Expected output (SYNTHETIC — key entries):
# VAD node Start End Tag Flags FileObject
# 0xfa80.. 0x00010000 0x0001ffff VadS CommitCharge: 1, Protection: PAGE_READWRITE -
# 0xfa80.. 0x00400000 0x0041ffff VadS CommitCharge: 32, Protection: PAGE_EXECUTE_READWRITE NONE ◄── HOLLOWED EXE
# 0xfa80.. 0x00770000 0x008affff Vad CommitCharge: 0, Protection: PAGE_READONLY \Windows\System32\locale.nls
# 0xfa80.. 0x02a10000 0x02a1ffff VadS CommitCharge: 16, Protection: PAGE_EXECUTE_READWRITE NONE ◄── SHELLCODE
# 0xfa80.. 0x7ff600000000 0x7ff600070fff Vad CommitCharge: 0, Protection: PAGE_EXECUTE_READ \Windows\System32\ntdll.dll
# 0xfa80.. 0x7ff5ff000000 0x7ff5ff1bffff Vad CommitCharge: 0, Protection: PAGE_EXECUTE_READ \Windows\System32\kernelbase.dll
# 0xfa80.. 0x7ff5fe800000 0x7ff5fe97ffff Vad CommitCharge: 0, Protection: PAGE_EXECUTE_READ \Windows\System32\kernel32.dll
# 0xfa80.. 0x7ff5fdc00000 0x7ff5fdc8ffff Vad CommitCharge: 0, Protection: PAGE_EXECUTE_READ \Windows\System32\ws2_32.dll
# 0xfa80.. 0x7ff5fd400000 0x7ff5fd47ffff Vad CommitCharge: 0, Protection: PAGE_EXECUTE_READ \Windows\System32\wininet.dll
# 0xfa80.. 0x04500000 0x045fffff VadS CommitCharge: 256, Protection: PAGE_EXECUTE_READWRITE NONE ◄── REFLECTIVE DLL
VAD Analysis Key Indicators
When analyzing VADs for code injection, look for these patterns:
| Indicator | Normal | Suspicious |
|---|---|---|
| Protection | PAGE_EXECUTE_READ (RX) | PAGE_EXECUTE_READWRITE (RWX) |
| FileObject | References on-disk DLL/EXE | NONE (no backing file) |
| Tag | Vad (mapped) | VadS (private, committed) |
| Size | Matches known DLL sizes | Unusual sizes (16KB shellcode, etc.) |
| Location | Standard DLL load addresses | Low addresses (0x00400000) or heap regions |
3.3 DLL Injection in LSASS¶
The malfind scan detected injected code in lsass.exe (PID 712). This is a critical finding — injecting into LSASS is a common technique for credential harvesting.
# SYNTHETIC — Enumerate DLLs loaded by lsass.exe
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.dlllist --pid 712
# Expected output (SYNTHETIC — abbreviated):
# PID Base Size Name Path
# 712 0x7ff7a8c00000 0x58000 lsass.exe \Windows\System32\lsass.exe
# 712 0x7ff600000000 0x1f7000 ntdll.dll \Windows\System32\ntdll.dll
# 712 0x7ff5fe800000 0x180000 kernel32.dll \Windows\System32\kernel32.dll
# 712 0x7ff5ff000000 0x1c0000 KERNELBASE.dll \Windows\System32\KERNELBASE.dll
# 712 0x7ff5fa600000 0x9c000 lsasrv.dll \Windows\System32\lsasrv.dll
# 712 0x7ff5f9200000 0x3f000 sspisrv.dll \Windows\System32\sspisrv.dll
# 712 0x7ff5f8e00000 0x3b000 msv1_0.dll \Windows\System32\msv1_0.dll
# 712 0x7ff5f7400000 0x2a000 wdigest.dll \Windows\System32\wdigest.dll
# 712 0x7ff5f6800000 0x44000 kerberos.dll \Windows\System32\kerberos.dll
# 712 0x7ff5f5c00000 0x22000 cloudAP.dll \Windows\System32\cloudAP.dll
#
# NOTE: No suspicious DLLs in the standard DLL list — the injected module is REFLECTIVELY LOADED
# (it does not appear in the PEB's InLoadOrderModuleList)
# SYNTHETIC — Dump the injected code from lsass.exe
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.malfind --pid 712 --dump
# Analyze the dumped PE
# File: pid.712.vad.0x03f50000-0x03f6ffff.dmp
# SYNTHETIC — PE analysis of extracted module
# File size: 131,072 bytes (128 KB)
# PE Compile Time: 2026-02-28 14:22:00 UTC (SYNTHETIC)
# PE Sections:
# .text 0x1000 0x15000 r-x (code)
# .rdata 0x16000 0x3000 r-- (read-only data)
# .data 0x19000 0x2000 rw- (data)
# .reloc 0x1b000 0x1000 r-- (relocations)
#
# Imported Functions (SYNTHETIC):
# kernel32.dll: CreateFileW, ReadFile, WriteFile, VirtualAlloc, CreateThread
# advapi32.dll: OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges
# secur32.dll: AcquireCredentialsHandleW, InitializeSecurityContextW
# crypt32.dll: CryptUnprotectData
#
# Strings (SYNTHETIC):
# "SHADOWBYTE-CRED v2.1"
# "Harvesting credentials from LSASS..."
# "wdigest clear-text extraction"
# "kerberos ticket export"
# "\\.\pipe\shadowbyte_cred"
# "198.51.100.47"
Credential Harvesting Module Identified
The injected code in lsass.exe is a credential harvesting module (part of the SHADOWBYTE toolkit). Key indicators:
- Reflective loading — The DLL does not appear in the PEB module list, meaning it was loaded using a custom loader that maps the PE manually without calling
LoadLibrary. - Credential-related imports — Functions from
secur32.dllandcrypt32.dllindicate credential extraction capability. - Named pipe communication — Uses
\\.\pipe\shadowbyte_credfor inter-process communication with the main SHADOWBYTE RAT (PID 4872). - ATT&CK mapping — T1003.001 (LSASS Memory), T1055.001 (DLL Injection), T1055.003 (Reflective DLL Loading).
3.4 Reflective DLL Detection in PID 4872¶
The VAD analysis in section 3.2 showed a large RWX region at 0x04500000 with no backing file. This is the SHADOWBYTE RAT's core module, loaded reflectively.
# SYNTHETIC — Dump the reflective DLL from PID 4872
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.vadyarascan \
--pid 4872 --yara-rules "rule pe_header { strings: \$mz = { 4D 5A } condition: \$mz at 0 }" \
--dump
# SYNTHETIC — PE analysis of extracted SHADOWBYTE RAT core module
# File: pid.4872.vad.0x04500000-0x045fffff.dmp
# File size: 1,048,576 bytes (1 MB)
# PE Compile Time: 2026-03-01 08:15:00 UTC (SYNTHETIC)
# PE Sections:
# .text 0x1000 0x82000 r-x (code — large, indicating complex functionality)
# .rdata 0x83000 0x12000 r-- (read-only data)
# .data 0x95000 0x8000 rw- (data)
# .rsrc 0x9d000 0x2000 r-- (resources — contains encrypted config)
# .reloc 0x9f000 0x1000 r-- (relocations)
#
# Exported Functions (SYNTHETIC):
# ReflectiveLoader — Self-mapping PE loader
# ShadowbyteInit — RAT initialization
# BeaconMain — C2 beacon loop
# ExecuteCommand — Command execution handler
# FileOperation — File upload/download
# ScreenCapture — Screenshot capture
# KeylogStart — Keylogger initialization
# CredHarvest — Credential harvester launcher
# LateralSpread — Lateral movement module
# SelfDestruct — Cleanup and self-removal
#
# Encrypted Configuration Block (decrypted — SYNTHETIC):
# c2_primary: 198.51.100.47:443
# c2_secondary: 198.51.100.23:8443
# c2_fallback: exfil-drop.phantom-viper.example:443
# beacon_interval: 60
# jitter: 0.2
# user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# encryption: AES-256-CBC
# campaign_id: "NOVACORP-2026-Q1"
# kill_date: "2026-06-30"
Exercise 3 Checkpoint
At this point you should have:
- Used
malfindto identify injected code in PIDs 4872, 712, and 5620 - Detected process hollowing in PID 4872 (PE header in RWX region at base address)
- Found shellcode at
0x02a10000in PID 4872 (API-hashing stub) - Identified a reflective DLL (SHADOWBYTE credential harvester) injected into
lsass.exe(PID 712) - Located the SHADOWBYTE RAT core module reflectively loaded at
0x04500000in PID 4872 - Extracted the RAT configuration including C2 infrastructure and campaign metadata
- Identified the credential harvesting module communicating via named pipe
Key Finding: The attacker deployed a multi-component malware toolkit: SHADOWBYTE RAT (process-hollowed into svchost.exe) with a reflectively loaded credential harvester injected into lsass.exe. The hidden svchst.exe (PID 5620) serves as the NIGHTCRAWLER rootkit component handling lateral movement.
Exercise 4: Rootkit Detection¶
Objectives¶
- Scan for System Service Descriptor Table (SSDT) hooks that intercept system calls
- Check for Interrupt Descriptor Table (IDT) modifications
- Detect DKOM (Direct Kernel Object Manipulation) used to hide processes and drivers
- Identify hidden kernel drivers loaded by the NIGHTCRAWLER rootkit
4.1 SSDT Hook Detection¶
The System Service Descriptor Table (SSDT) maps system call numbers to kernel function addresses. Rootkits hook SSDT entries to intercept and filter system calls, enabling them to hide files, processes, registry keys, and network connections.
# SYNTHETIC — Scan for SSDT hooks
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.ssdt
# Expected output (SYNTHETIC — showing hooked entries):
# Index Address Module Symbol
# 0x0000 0xfffff80712345678 ntoskrnl.exe NtAcceptWaitablePort
# 0x0001 0xfffff8071234abcd ntoskrnl.exe NtAccessCheck
# ...
# 0x0023 0xfffff80712360000 ntoskrnl.exe NtClose
# 0x0024 0xfffff80712361234 ntoskrnl.exe NtCommitComplete
# ...
# 0x003E 0xfffff807DEAD0001 UNKNOWN NtCreateFile ◄── HOOKED
# ...
# 0x0052 0xfffff807DEAD0002 UNKNOWN NtEnumerateValueKey ◄── HOOKED
# ...
# 0x0055 0xfffff807DEAD0003 UNKNOWN NtQueryDirectoryFile ◄── HOOKED
# ...
# 0x0098 0xfffff807DEAD0004 UNKNOWN NtQuerySystemInformation ◄── HOOKED
# ...
# 0x0119 0xfffff80712398765 ntoskrnl.exe NtWriteFile
# 0x011A 0xfffff807123abcde ntoskrnl.exe NtWriteVirtualMemory
# SYNTHETIC — SSDT hook scan
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 ssdt
# Look for entries pointing outside ntoskrnl.exe or known drivers
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 ssdt | grep -v "ntoskrnl\|win32k"
SSDT Hooks Detected — NIGHTCRAWLER Rootkit
Four SSDT entries are hooked, redirecting system calls to addresses in an UNKNOWN module (not part of ntoskrnl.exe or any legitimate driver):
| Hooked Function | System Call Purpose | Rootkit Capability |
|---|---|---|
NtCreateFile | Open/create files | File hiding — Filter out rootkit files from directory listings |
NtEnumerateValueKey | Enumerate registry values | Registry hiding — Hide persistence registry keys |
NtQueryDirectoryFile | List directory contents | File hiding — Remove rootkit binaries from dir output |
NtQuerySystemInformation | Query process/system info | Process hiding — Filter rootkit processes from Task Manager |
The hook addresses (0xfffff807DEAD0001 through 0xfffff807DEAD0004) are clearly synthetic but in a real scenario would point to rootkit driver code. These hooks work in concert with the DKOM process unlinking observed in Exercise 1.
4.2 Hidden Driver Detection¶
Rootkits typically load a kernel driver to install SSDT hooks and perform DKOM. Scan for drivers that may be hidden from the standard driver list.
# SYNTHETIC — List all loaded kernel modules
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.modules
# Expected output (SYNTHETIC — abbreviated, showing suspicious entry):
# Offset Base Size Name Path
# 0xfa8005120080 0xfffff80712000000 0xA00000 ntoskrnl.exe \SystemRoot\system32\ntoskrnl.exe
# 0xfa8005121080 0xfffff80713000000 0x800000 win32kfull.sys \SystemRoot\system32\win32kfull.sys
# 0xfa8005122080 0xfffff80714000000 0x40000 NETIO.SYS \SystemRoot\system32\drivers\NETIO.SYS
# ...
# 0xfa8005130080 0xfffff80715500000 0x10000 fltMgr.sys \SystemRoot\system32\drivers\fltMgr.sys
# 0xfa8005131080 0xfffff80715600000 0xA000 intelppm.sys \SystemRoot\system32\drivers\intelppm.sys
# ...
# (nightcrawler.sys NOT listed — hidden from module list)
# Scan for drivers using pool tag scanning (finds hidden drivers)
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.driverscan
# Expected ADDITIONAL driver found by driverscan (SYNTHETIC):
# Offset Start Size ServiceKey DriverName DriverNameOffset
# 0x000000003f810040 0xfffff807DEAD0000 0x8000 NightCrawlerSvc \Driver\ncrawler 0x000000003f810120 ◄── HIDDEN ROOTKIT DRIVER
# SYNTHETIC — Driver scan
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 driverscan
# Compare with modules list
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 modules
# Find orphan drivers (in driverscan but not modules)
python2 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw --profile=Win10x64_19041 moddump -b 0xfffff807DEAD0000 -D /cases/novacorp/evidence/dumped_files/
Hidden Rootkit Driver — NIGHTCRAWLER
The driverscan plugin (which scans for driver objects using pool tag scanning) found a driver that is not listed in the standard modules list:
- Driver Name:
\Driver\ncrawler - Service Key:
NightCrawlerSvc - Base Address:
0xfffff807DEAD0000 - Size: 32,768 bytes (32 KB)
This driver was removed from the PsLoadedModuleList (the kernel's linked list of loaded modules) using DKOM — the same technique used to hide processes. The driver provides the SSDT hooks detected in section 4.1 and the DKOM capability used to hide PIDs 5552 and 5620.
4.3 IDT Analysis¶
Check the Interrupt Descriptor Table for modifications that could indicate rootkit hooks on hardware interrupts or software interrupts.
# SYNTHETIC — IDT scan (Volatility 3 approach)
# Note: Volatility 3 does not have a dedicated IDT plugin; use raw memory analysis
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.idt
# Expected output (SYNTHETIC — abbreviated):
# CPU Index Selector Value Module Section
# 0 0x00 0x0010 0xfffff80712340000 ntoskrnl.exe .text (Divide Error)
# 0 0x01 0x0010 0xfffff80712340100 ntoskrnl.exe .text (Debug)
# 0 0x02 0x0010 0xfffff80712340200 ntoskrnl.exe .text (NMI)
# 0 0x03 0x0010 0xfffff80712340300 ntoskrnl.exe .text (Breakpoint)
# ...
# 0 0x2E 0x0010 0xfffff80712345000 ntoskrnl.exe .text (System Call — KiSystemService)
# ...
# 0 0xE1 0x0010 0xfffff807DEAD5000 UNKNOWN UNKNOWN ◄── HOOKED (custom interrupt)
# ...
#
# All standard IDT entries point to ntoskrnl.exe EXCEPT:
# - INT 0xE1: Points to NIGHTCRAWLER driver space — used as a covert communication channel
# between user-mode SHADOWBYTE components and the kernel-mode rootkit
4.4 DKOM Process Hiding Verification¶
Confirm the DKOM technique used to unlink processes from the EPROCESS linked list.
# SYNTHETIC — Compare EPROCESS linked list with pool tag scan
# We already identified hidden PIDs 5552 and 5620 in Exercise 1
# Verify by examining the EPROCESS structures directly
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.psscan --pid 5552
# Expected output (SYNTHETIC):
# PID PPID ImageFileName Offset(P) Threads Handles Sess Wow64 CreateTime ExitTime
# 5552 4872 conhost.exe 0x000000003e4a1040 2 42 0 False 2026-03-10 09:17:50.000000 -
# Check the ActiveProcessLinks for manipulation
# In a real analysis, you would examine the Flink/Blink pointers:
#
# Normal EPROCESS linking:
# Process A → Process B → Process C → Process A (circular)
#
# After DKOM unlinking of Process B:
# Process A → Process C → Process A (B removed, but B still in memory)
# Process B's Flink/Blink may point to itself or to A/C
#
# Evidence: PID 5552 EPROCESS at 0x3e4a1040 has Flink == Blink (points to itself)
# This confirms the process was manually unlinked from the ActiveProcessLinks list
Exercise 4 Checkpoint
At this point you should have:
- Detected 4 SSDT hooks intercepting
NtCreateFile,NtEnumerateValueKey,NtQueryDirectoryFile, andNtQuerySystemInformation - Identified the hidden NIGHTCRAWLER rootkit driver (
\Driver\ncrawler) at0xfffff807DEAD0000 - Found a hooked IDT entry (INT 0xE1) used for covert kernel-user communication
- Confirmed DKOM process unlinking by examining EPROCESS
ActiveProcessLinks - Understood the rootkit architecture: kernel driver provides stealth (SSDT hooks + DKOM) while user-mode components handle C2 and operations
Key Finding: NIGHTCRAWLER is a kernel-mode rootkit that provides comprehensive stealth capabilities: process hiding via DKOM, file/registry hiding via SSDT hooks, and covert communication via a custom IDT entry. This works in coordination with the user-mode SHADOWBYTE RAT.
4.5 Kernel Callback Analysis¶
Modern rootkits also register kernel callbacks to intercept process creation, image loading, and registry operations. These callbacks are more stealthy than SSDT hooks because they use documented kernel APIs.
# SYNTHETIC — Check process creation callbacks
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.callbacks
# Expected output (SYNTHETIC — key entries):
# Type Callback Module Detail
# PsSetCreateProcessNotify 0xfffff80712345600 ntoskrnl.exe (Legitimate — process auditing)
# PsSetCreateProcessNotify 0xfffff80714501000 cng.sys (Legitimate — crypto provider)
# PsSetCreateProcessNotify 0xfffff80715601200 WdFilter.sys (Legitimate — Windows Defender)
# PsSetCreateProcessNotify 0xfffff807DEAD6000 UNKNOWN ◄── ROOTKIT CALLBACK
# PsSetLoadImageNotify 0xfffff80712346000 ntoskrnl.exe (Legitimate — image load auditing)
# PsSetLoadImageNotify 0xfffff807DEAD6100 UNKNOWN ◄── ROOTKIT CALLBACK
# CmRegisterCallback 0xfffff80712347000 ntoskrnl.exe (Legitimate — registry auditing)
# CmRegisterCallback 0xfffff80715601400 WdFilter.sys (Legitimate — Windows Defender)
# CmRegisterCallback 0xfffff807DEAD6200 UNKNOWN ◄── ROOTKIT CALLBACK
Rootkit Kernel Callbacks
NIGHTCRAWLER registered three kernel callbacks, all pointing to the rootkit driver address space (0xfffff807DEAD*):
| Callback Type | Purpose |
|---|---|
PsSetCreateProcessNotify | Monitors new process creation — allows the rootkit to automatically hide new SHADOWBYTE child processes as they are spawned |
PsSetLoadImageNotify | Monitors DLL/driver loading — can intercept and block security tool drivers from loading |
CmRegisterCallback | Monitors registry operations — hides rootkit persistence keys from registry scanning tools |
These callbacks are more sophisticated than SSDT hooks because they use documented, supported Windows kernel APIs (PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine, CmRegisterCallbackEx). Security tools that only check for SSDT hooks would miss these.
4.6 Rootkit Architecture Summary¶
SYNTHETIC — NIGHTCRAWLER Rootkit Architecture
┌─────────────────────────────────────────────────────────┐
│ USER MODE │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │
│ │ svchost.exe │ │ svchst.exe │ │ conhost.exe│ │
│ │ PID 4872 │ │ PID 5620 │ │ PID 5552 │ │
│ │ (SHADOWBYTE │ │ (NIGHTCRAWLER│ │ (Hidden │ │
│ │ RAT core) │ │ user-mode) │ │ console) │ │
│ │ [Hollowed] │ │ [DKOM hidden]│ │ [DKOM hid] │ │
│ └──────┬───────┘ └──────┬───────┘ └────────────┘ │
│ │ Named Pipe │ INT 0xE1 │
│ ┌──────▼───────┐ │ (covert channel) │
│ │ lsass.exe │ │ │
│ │ PID 712 │ │ │
│ │ (Cred module │ │ │
│ │ injected) │ │ │
│ └──────────────┘ │ │
├─────────────────────────────┼─────────────────────────────┤
│ KERNEL MODE │
│ │ │
│ ┌──────────────▼──────────────┐ │
│ │ ncrawler.sys │ │
│ │ (NIGHTCRAWLER driver) │ │
│ │ Base: 0xfffff807DEAD0000 │ │
│ │ [Hidden from module list] │ │
│ │ │ │
│ │ Capabilities: │ │
│ │ ├─ SSDT hooks (4 syscalls) │ │
│ │ ├─ DKOM (process/driver) │ │
│ │ ├─ IDT hook (INT 0xE1) │ │
│ │ ├─ Process notify callback │ │
│ │ ├─ Image load callback │ │
│ │ └─ Registry callback │ │
│ └─────────────────────────────┘ │
└──────────────────────────────────────────────────────────┘
Exercise 5: Timeline & IOC Extraction¶
Objectives¶
- Build a forensic timeline using timeliner to correlate all memory artifacts chronologically
- Extract files from memory for offline analysis
- Dump credential material (synthetic hashes) from memory
- Analyze registry keys for persistence mechanisms
- Compile a comprehensive IOC report
5.1 Timeline Generation¶
# SYNTHETIC — Generate a comprehensive timeline from memory artifacts
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw timeliner.Timeliner
# Expected output (SYNTHETIC — key events sorted chronologically):
# Timestamp Plugin Description
# 2026-03-10 06:15:18.000000 windows.psscan Process: Registry (PID 104) created
# 2026-03-10 06:15:22.000000 windows.psscan Process: System (PID 4) created
# 2026-03-10 06:15:22.000000 windows.psscan Process: smss.exe (PID 392) created
# 2026-03-10 06:15:24.000000 windows.psscan Process: csrss.exe (PID 508) created
# 2026-03-10 06:15:24.000000 windows.psscan Process: wininit.exe (PID 584) created
# 2026-03-10 06:15:24.000000 windows.psscan Process: services.exe (PID 700) created
# 2026-03-10 06:15:24.000000 windows.psscan Process: lsass.exe (PID 712) created
# 2026-03-10 06:15:25.000000 windows.psscan Process: svchost.exe (PID 824) created
# 2026-03-10 06:15:25.000000 windows.psscan Process: svchost.exe (PID 872) created
# 2026-03-10 06:15:25.000000 windows.psscan Process: svchost.exe (PID 968) created
# 2026-03-10 06:15:28.000000 windows.psscan Process: spoolsv.exe (PID 2104) created
# 2026-03-10 06:30:14.000000 windows.psscan Process: explorer.exe (PID 2492) created
# 2026-03-10 06:31:02.000000 windows.psscan Process: outlook.exe (PID 2680) created
# 2026-03-10 06:31:15.000000 windows.psscan Process: chrome.exe (PID 3104) created
# 2026-03-10 09:14:30.000000 windows.psscan Process: notepad.exe (PID 4520) created ◄── USER OPENS ATTACHMENT
# 2026-03-10 09:14:55.000000 windows.netscan Network: chrome.exe (3104) → 203.0.113.5:80 ◄── PAYLOAD DOWNLOAD
# 2026-03-10 09:17:44.000000 windows.psscan Process: svchost.exe (PID 4872) created ◄── SHADOWBYTE RAT DEPLOYED
# 2026-03-10 09:17:46.000000 windows.netscan Network: svchost.exe (4872) LISTENING :49670 ◄── BACKDOOR PORT OPENED
# 2026-03-10 09:17:50.000000 windows.psscan Process: conhost.exe (PID 5552) created [HIDDEN] ◄── HIDDEN CONSOLE
# 2026-03-10 09:17:52.000000 windows.psscan Process: svchst.exe (PID 5620) created [HIDDEN] ◄── NIGHTCRAWLER DEPLOYED
# 2026-03-10 09:18:02.000000 windows.psscan Process: cmd.exe (PID 4988) created ◄── INITIAL RECON START
# 2026-03-10 09:18:03.000000 windows.psscan Process: whoami.exe (PID 5016) created/exited ◄── RECON: whoami
# 2026-03-10 09:18:05.000000 windows.psscan Process: ipconfig.exe (PID 5104) created/exited ◄── RECON: ipconfig
# 2026-03-10 10:42:15.000000 windows.psscan Process: msedge.exe (PID 5480) created ◄── Normal user activity
# 2026-03-12 02:15:32.000000 windows.netscan Network: lsass.exe (712) → 10.20.1.10:88 ◄── KERBEROS TICKET REQUEST
# 2026-03-12 02:15:33.000000 windows.psscan Process: cmd.exe (PID 5188) created ◄── SECOND RECON WAVE
# 2026-03-12 02:15:35.000000 windows.psscan Process: net.exe (PID 5240) created/exited ◄── RECON: net
# 2026-03-12 02:15:38.000000 windows.netscan Network: cmd.exe (4988) → 10.20.1.10:389 ◄── LDAP QUERY TO DC
# 2026-03-12 02:15:40.000000 windows.psscan Process: nltest.exe (PID 5312) created/exited ◄── RECON: nltest (domain trust)
# 2026-03-12 02:16:10.000000 windows.netscan Network: svchst.exe (5620) → 10.20.3.15:445 ◄── LATERAL MOVEMENT: APP SERVER
# 2026-03-12 02:20:45.000000 windows.netscan Network: svchst.exe (5620) → 10.20.3.20:445 ◄── LATERAL MOVEMENT: FILE SERVER
# 2026-03-12 14:25:00.000000 dns_cache DNS: exfil-drop.phantom-viper.example resolved ◄── EXFIL DOMAIN RESOLVED
# 2026-03-12 14:30:05.000000 windows.netscan Network: svchst.exe (5620) → 198.51.100.23:8443 ◄── SECONDARY C2 ACTIVE
# 2026-03-12 14:37:00.000000 soc_detection SOC Alert: Anomalous outbound HTTPS beaconing ◄── DETECTION
# 2026-03-12 14:58:12.000000 windows.netscan Network: svchost.exe (4872) → 198.51.100.47:443 ◄── C2 BEACON (at acquisition)
# 2026-03-12 15:00:33.000000 windows.netscan Network: svchost.exe (4872) → 198.51.100.47:443 ◄── C2 BEACON (at acquisition)
# 2026-03-12 15:02:33.000000 acquisition Memory dump acquired ◄── DUMP CAPTURED
5.2 Credential Extraction¶
Synthetic Credentials
All credential material below is 100% synthetic and fictional. Hashes follow the format SYNTHETIC-HASH-* and are not real NTLM, LM, or Kerberos hashes. Never use extracted credentials from a real engagement for unauthorized access.
# SYNTHETIC — Dump password hashes from SAM/SYSTEM registry hives
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.hashdump
# Expected output (SYNTHETIC):
# User RID LM Hash NTLM Hash
# Administrator 500 aad3b435b51404eeaad3b435b51404ee SYNTHETIC-HASH-01a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6
# Guest 501 aad3b435b51404eeaad3b435b51404ee SYNTHETIC-HASH-00000000000000000000000000000000
# DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee SYNTHETIC-HASH-00000000000000000000000000000000
# jdoe 1001 aad3b435b51404eeaad3b435b51404ee SYNTHETIC-HASH-a1a1a1a1b2b2b2b2c3c3c3c3d4d4d4d4
# svc-backup 1002 aad3b435b51404eeaad3b435b51404ee SYNTHETIC-HASH-e5e5e5e5f6f6f6f6a7a7a7a7b8b8b8b8
# SYNTHETIC — Extract cached domain credentials
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.cachedump
# Expected output (SYNTHETIC):
# User Domain Hash
# jdoe NOVACORP SYNTHETIC-HASH-CACHED-aabbccdd11223344aabbccdd11223344
# admin.smith NOVACORP SYNTHETIC-HASH-CACHED-55667788aabbccddee11223344556677
# svc-sqlprod NOVACORP SYNTHETIC-HASH-CACHED-99aabbccddeeff0011223344556677889
# SYNTHETIC — Extract LSA secrets
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.lsadump
# Expected output (SYNTHETIC):
# Key Secret
# DefaultPassword REDACTED
# DPAPI_SYSTEM SYNTHETIC-DPAPI-KEY-aabbccdd1122334455667788
# NL$KM SYNTHETIC-NLKM-KEY-99aabbccddeeff0011223344
# _SC_NovaCorp-BackupSvc SYNTHETIC-SVC-PASS-REDACTED
5.3 Registry Analysis¶
Extract registry hives from memory and analyze persistence mechanisms.
# SYNTHETIC — List registry hives in memory
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.registry.hivelist
# Expected output (SYNTHETIC):
# Offset FileFullPath
# 0xfa80042a0080 \REGISTRY\MACHINE\SYSTEM
# 0xfa80042b0080 \REGISTRY\MACHINE\SOFTWARE
# 0xfa80042c0080 \REGISTRY\MACHINE\SAM
# 0xfa80042d0080 \REGISTRY\MACHINE\SECURITY
# 0xfa80050e0080 \??\C:\Users\jdoe\ntuser.dat
# 0xfa80050f0080 \??\C:\Users\jdoe\AppData\Local\Microsoft\Windows\UsrClass.dat
# SYNTHETIC — Check Run keys for persistence
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.registry.printkey \
--key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
# Expected output (SYNTHETIC):
# Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Last Write: 2026-03-10 09:18:15 UTC
#
# REG_SZ SecurityHealthSystray : "C:\Windows\System32\SecurityHealthSystray.exe" ◄── LEGITIMATE
# REG_SZ WindowsDefender : "C:\Program Files\Windows Defender\MSASCuiL.exe" ◄── LEGITIMATE
# REG_SZ NovaCorp Update Agent : "C:\ProgramData\NovaCorp\update_agent.exe" ◄── SUSPICIOUS ◄── PERSISTENCE
# SYNTHETIC — Check Services registry key
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.registry.printkey \
--key "SYSTEM\CurrentControlSet\Services\NightCrawlerSvc"
# Expected output (SYNTHETIC):
# Key: SYSTEM\CurrentControlSet\Services\NightCrawlerSvc
# Last Write: 2026-03-10 09:17:48 UTC
#
# REG_DWORD Type : 1 (Kernel Driver)
# REG_DWORD Start : 1 (System Start)
# REG_DWORD ErrorControl : 0 (Ignore)
# REG_SZ DisplayName : "Windows Network Compliance Driver" ◄── DECEPTIVE NAME
# REG_SZ ImagePath : "\SystemRoot\System32\drivers\ncrawler.sys"
# REG_SZ Description : "Provides network compliance verification" ◄── DECEPTIVE DESCRIPTION
# SYNTHETIC — Check Scheduled Tasks for persistence
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.registry.printkey \
--key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
# Found suspicious task (SYNTHETIC):
# Key: ...\TaskCache\Tree\Microsoft\Windows\NetComplianceCheck
# Last Write: 2026-03-10 09:18:20 UTC
#
# This task name mimics a legitimate Windows task.
# Associated Actions registry entry reveals:
# Exec Command: "C:\Windows\System32\rundll32.exe"
# Exec Arguments: "C:\ProgramData\NovaCorp\compliance.dll,CheckCompliance" ◄── PERSISTENCE via rundll32
# Trigger: Daily at 02:00 AM
Persistence Mechanisms Identified
Three persistence mechanisms were installed by PHANTOM-VIPER:
| Mechanism | Location | Technique | ATT&CK |
|---|---|---|---|
| Registry Run Key | HKLM\SOFTWARE\...\Run\NovaCorp Update Agent | Runs update_agent.exe at user login | T1547.001 |
| Kernel Driver Service | HKLM\SYSTEM\...\Services\NightCrawlerSvc | Loads ncrawler.sys at system boot | T1543.003 |
| Scheduled Task | NetComplianceCheck via Task Scheduler | Runs rundll32.exe with malicious DLL daily at 02:00 | T1053.005 |
5.4 File Extraction from Memory¶
# SYNTHETIC — Dump files associated with malicious processes
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.dumpfiles --pid 4872
# SYNTHETIC — Scan for file objects matching suspicious paths
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.filescan | grep -i "novacorp\|ncrawler\|update_agent\|compliance"
# Expected output (SYNTHETIC):
# Offset Name
# 0x000000003e8a0200 \ProgramData\NovaCorp\update_agent.exe ◄── PERSISTENCE BINARY
# 0x000000003e8b0100 \ProgramData\NovaCorp\compliance.dll ◄── SCHEDULED TASK PAYLOAD
# 0x000000003e8c0300 \ProgramData\NovaCorp\config.dat ◄── ENCRYPTED CONFIGURATION
# 0x000000003f810300 \Windows\System32\drivers\ncrawler.sys ◄── ROOTKIT DRIVER
# 0x000000003e8d0400 \Users\jdoe\AppData\Local\Temp\invoice_Q1.pdf.exe ◄── INITIAL DROPPER
# Dump the files for offline analysis
python3 vol.py -f /cases/novacorp/ws-fin-042_20260312_1502.raw windows.dumpfiles \
--physaddr 0x000000003e8a0200
# SYNTHETIC — File hashes of extracted malware components
# File SHA-256 (SYNTHETIC) Size
# update_agent.exe SYNTHETIC-HASH-SHA256-update-agent-aabbccdd11223344556677889900aabbcc 245,760 bytes
# compliance.dll SYNTHETIC-HASH-SHA256-compliance-dll-112233445566778899aabbccddeeff00 131,072 bytes
# config.dat SYNTHETIC-HASH-SHA256-config-dat-aabbccddeeff00112233445566778899aa 4,096 bytes
# ncrawler.sys SYNTHETIC-HASH-SHA256-ncrawler-sys-ffeeddccbbaa00998877665544332211 32,768 bytes
# invoice_Q1.pdf.exe SYNTHETIC-HASH-SHA256-invoice-dropper-0011223344556677889900aabbccdd 512,000 bytes
5.5 Comprehensive IOC Report¶
Compile all extracted indicators of compromise into a structured report.
# SYNTHETIC IOC Report — NovaCorp Financial Incident
# Generated: 2026-03-12
# Classification: TLP:RED (SYNTHETIC)
# Threat Actor: PHANTOM-VIPER (fictional)
# Malware Family: SHADOWBYTE (RAT), NIGHTCRAWLER (rootkit)
type,indicator,context,confidence,mitre_technique
ip,198.51.100.47,Primary C2 server,High,T1071.001
ip,198.51.100.23,Secondary C2 server,High,T1071.001
ip,203.0.113.5,Payload delivery server,High,T1189
ip,198.51.100.99,Exfiltration staging (DNS resolved),Medium,T1041
domain,update.novacorp-cdn.example,Primary C2 domain,High,T1071.001
domain,telemetry.novacorp-cdn.example,Secondary C2 domain,High,T1071.001
domain,downloads.update-service.example,Payload delivery domain,High,T1189
domain,exfil-drop.phantom-viper.example,Exfiltration staging domain,Medium,T1041
hash-sha256,SYNTHETIC-HASH-SHA256-update-agent-aabbccdd11223344556677889900aabbcc,SHADOWBYTE persistence binary,High,T1547.001
hash-sha256,SYNTHETIC-HASH-SHA256-compliance-dll-112233445566778899aabbccddeeff00,SHADOWBYTE scheduled task DLL,High,T1053.005
hash-sha256,SYNTHETIC-HASH-SHA256-ncrawler-sys-ffeeddccbbaa00998877665544332211,NIGHTCRAWLER rootkit driver,High,T1014
hash-sha256,SYNTHETIC-HASH-SHA256-invoice-dropper-0011223344556677889900aabbccdd,Initial dropper (invoice_Q1.pdf.exe),High,T1204.002
hash-sha256,SYNTHETIC-HASH-SHA256-config-dat-aabbccddeeff00112233445566778899aa,Encrypted C2 configuration,Medium,T1027
filename,update_agent.exe,Persistence binary in ProgramData\NovaCorp\,High,T1547.001
filename,compliance.dll,Scheduled task payload,High,T1053.005
filename,ncrawler.sys,Rootkit kernel driver,High,T1014
filename,invoice_Q1.pdf.exe,Initial dropper (double extension),High,T1204.002
filename,config.dat,Encrypted C2 config,Medium,T1027
filepath,C:\ProgramData\NovaCorp\,Malware staging directory,High,T1074.001
filepath,C:\Windows\System32\drivers\ncrawler.sys,Rootkit driver path,High,T1014
registry,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NovaCorp Update Agent,Persistence Run key,High,T1547.001
registry,HKLM\SYSTEM\CurrentControlSet\Services\NightCrawlerSvc,Rootkit service registration,High,T1543.003
scheduled-task,Microsoft\Windows\NetComplianceCheck,Persistence scheduled task,High,T1053.005
named-pipe,\\.\pipe\shadowbyte_cred,Credential harvester IPC,High,T1559.001
port,49670/tcp,Local backdoor listener,High,T1571
user-agent,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",C2 HTTP user-agent,Low,T1071.001
process-name,svchst.exe,NIGHTCRAWLER component (typosquatted svchost),High,T1036.005
mutex,Global\SHADOWBYTE-NOVACORP-2026-Q1,Campaign mutex,High,T1480
Exercise 5 Checkpoint
At this point you should have:
- Generated a comprehensive forensic timeline spanning 2026-03-10 to 2026-03-12
- Extracted synthetic password hashes from SAM, cached domain credentials, and LSA secrets
- Identified three persistence mechanisms: Run key, kernel driver service, scheduled task
- Extracted five malware files from memory with synthetic hashes
- Compiled a structured IOC report with 30+ indicators mapped to ATT&CK techniques
- Reconstructed the full attack narrative from initial access through persistence and lateral movement
Key Finding: The PHANTOM-VIPER attack chain followed a clear progression: phishing email with malicious attachment → dropper execution → SHADOWBYTE RAT deployment via process hollowing → NIGHTCRAWLER rootkit installation → credential harvesting from LSASS → domain reconnaissance → lateral movement to application and file servers → exfiltration staging.
Detection Queries¶
KQL (Microsoft Sentinel)¶
// SYNTHETIC — Detect process hollowing indicators
// Svchost.exe spawning cmd.exe or powershell.exe
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "svchost.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| where InitiatingProcessCommandLine !contains "-k" // Legitimate svchost always has -k flag
| project Timestamp, DeviceName, InitiatingProcessId,
InitiatingProcessFileName, FileName, ProcessCommandLine
| sort by Timestamp desc
// SYNTHETIC — Detect hidden process creation (typosquatted names)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName matches regex @"^svch[o0]?st\.exe$"
| where FileName != "svchost.exe"
| project Timestamp, DeviceName, FileName, FolderPath,
InitiatingProcessFileName, ProcessCommandLine
// SYNTHETIC — Detect anomalous svchost.exe without service registration
DeviceProcessEvents
| where FileName =~ "svchost.exe"
| where ProcessCommandLine !contains "-k "
| where ProcessCommandLine !contains "-s "
| project Timestamp, DeviceName, ProcessId, ProcessCommandLine, FolderPath
// SYNTHETIC — Detect C2 beaconing patterns
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIP in ("198.51.100.47", "198.51.100.23", "203.0.113.5") // Replace with actual IOCs
| summarize ConnectionCount = count(),
AvgTimeBetween = avg(datetime_diff('second', Timestamp, prev(Timestamp))),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| where ConnectionCount > 10
// SYNTHETIC — Detect reconnaissance command burst
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("whoami.exe", "ipconfig.exe", "net.exe",
"nltest.exe", "systeminfo.exe", "tasklist.exe", "quser.exe")
| summarize ReconCommands = make_set(FileName),
CommandCount = count(),
FirstCommand = min(Timestamp),
LastCommand = max(Timestamp)
by DeviceName, InitiatingProcessFileName, InitiatingProcessId
| where CommandCount >= 3
| where datetime_diff('minute', LastCommand, FirstCommand) < 10
// SYNTHETIC — Detect driver loading from suspicious paths
DeviceEvents
| where ActionType == "DriverLoad"
| where FolderPath !startswith @"C:\Windows\System32\drivers\"
or FileName in~ ("ncrawler.sys") // Add known rootkit filenames
| project Timestamp, DeviceName, FileName, FolderPath,
SHA256, SignerType, IsSigned
// SYNTHETIC — Detect lateral movement via SMB
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where LocalIP startswith "10.20."
| where RemoteIP startswith "10.20."
| where InitiatingProcessFileName !in~ ("System", "svchost.exe", "dns.exe")
| project Timestamp, DeviceName, LocalIP, RemoteIP,
InitiatingProcessFileName, InitiatingProcessId
SPL (Splunk)¶
// SYNTHETIC — Detect process hollowing: svchost.exe spawning cmd/powershell
index=edr sourcetype=process_creation
parent_process_name="svchost.exe"
(process_name="cmd.exe" OR process_name="powershell.exe" OR process_name="pwsh.exe")
NOT parent_process_command_line="*-k *"
| table _time host parent_process_id parent_process_name process_name process_command_line
| sort -_time
// SYNTHETIC — Detect typosquatted process names
index=edr sourcetype=process_creation
| regex process_name="^svch[o0]?st\.exe$"
| where process_name != "svchost.exe"
| table _time host process_name process_path parent_process_name process_command_line
// SYNTHETIC — Detect C2 beaconing
index=network sourcetype=firewall
(dest_ip="198.51.100.47" OR dest_ip="198.51.100.23" OR dest_ip="203.0.113.5")
| stats count as connection_count
earliest(_time) as first_seen
latest(_time) as last_seen
values(dest_port) as ports
by src_ip dest_ip process_name
| where connection_count > 10
// SYNTHETIC — Detect reconnaissance command execution burst
index=edr sourcetype=process_creation
(process_name="whoami.exe" OR process_name="ipconfig.exe" OR process_name="net.exe"
OR process_name="nltest.exe" OR process_name="systeminfo.exe" OR process_name="tasklist.exe")
| stats count as cmd_count
values(process_name) as commands
earliest(_time) as first_cmd
latest(_time) as last_cmd
by host parent_process_name parent_process_id
| where cmd_count >= 3
| eval time_span_minutes = round((last_cmd - first_cmd) / 60, 1)
| where time_span_minutes < 10
// SYNTHETIC — Detect suspicious driver loads
index=edr sourcetype=driver_load
(NOT driver_path="C:\\Windows\\System32\\drivers\\*" OR driver_name="ncrawler.sys")
| table _time host driver_name driver_path signer is_signed sha256
// SYNTHETIC — Detect lateral movement via SMB from non-system processes
index=network sourcetype=firewall dest_port=445
src_ip="10.20.*" dest_ip="10.20.*"
NOT process_name IN ("System", "svchost.exe", "dns.exe")
| table _time src_ip dest_ip process_name process_id
| sort -_time
// SYNTHETIC — Detect named pipe creation for IPC
index=edr sourcetype=sysmon EventCode=17
PipeName="*shadowbyte*"
| table _time host ProcessId Image PipeName
Sigma Rules¶
# SYNTHETIC — Sigma rule: Svchost without -k flag (process hollowing indicator)
title: Svchost.exe Launched Without Service Group Flag
id: synthetic-sigma-001-novacorp
status: experimental
description: >
Detects svchost.exe instances launched without the required -k flag,
which may indicate process hollowing. Legitimate svchost.exe is always
started by services.exe with -k <ServiceGroupName>. SYNTHETIC RULE.
references:
- https://attack.mitre.org/techniques/T1055/012/
author: NovaCorp IR Team (SYNTHETIC)
date: 2026/03/12
tags:
- attack.defense_evasion
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_legitimate:
CommandLine|contains: '-k '
filter_parent:
ParentImage|endswith: '\services.exe'
condition: selection and not (filter_legitimate and filter_parent)
falsepositives:
- Rare edge cases during Windows updates
level: high
# SYNTHETIC — Sigma rule: Typosquatted svchost.exe
title: Typosquatted Svchost Process Name
id: synthetic-sigma-002-novacorp
status: experimental
description: >
Detects processes with names similar to svchost.exe but with subtle
typos (e.g., svchst.exe, svch0st.exe), a technique used by malware
to masquerade as legitimate Windows processes. SYNTHETIC RULE.
references:
- https://attack.mitre.org/techniques/T1036/005/
author: NovaCorp IR Team (SYNTHETIC)
date: 2026/03/12
tags:
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\svchst.exe'
- '\svch0st.exe'
- '\svchosl.exe'
- '\scvhost.exe'
- '\svchost32.exe'
condition: selection
falsepositives:
- Extremely unlikely with these specific names
level: critical
# SYNTHETIC — Sigma rule: Reconnaissance command burst
title: Rapid Execution of Discovery Commands
id: synthetic-sigma-003-novacorp
status: experimental
description: >
Detects multiple reconnaissance/discovery commands executed in rapid
succession from the same parent process, indicating automated or
scripted post-exploitation discovery. SYNTHETIC RULE.
references:
- https://attack.mitre.org/tactics/TA0007/
author: NovaCorp IR Team (SYNTHETIC)
date: 2026/03/12
tags:
- attack.discovery
- attack.t1033
- attack.t1016
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\whoami.exe'
- '\ipconfig.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\quser.exe'
- '\query.exe'
- '\nslookup.exe'
- '\arp.exe'
- '\route.exe'
condition: selection | count(Image) by ParentProcessId > 3
timeframe: 10m
falsepositives:
- System administrators running diagnostics
- Monitoring scripts
level: high
# SYNTHETIC — Sigma rule: Suspicious driver load
title: Kernel Driver Loaded from Non-Standard Path
id: synthetic-sigma-004-novacorp
status: experimental
description: >
Detects kernel drivers loaded from paths outside the standard
Windows driver directories, or drivers matching known rootkit
names. SYNTHETIC RULE.
references:
- https://attack.mitre.org/techniques/T1014/
author: NovaCorp IR Team (SYNTHETIC)
date: 2026/03/12
tags:
- attack.defense_evasion
- attack.t1014
- attack.persistence
- attack.t1543.003
logsource:
category: driver_load
product: windows
detection:
selection_name:
ImageLoaded|endswith:
- '\ncrawler.sys'
selection_unsigned:
Signed: 'false'
ImageLoaded|endswith: '.sys'
filter_standard_paths:
ImageLoaded|startswith:
- 'C:\Windows\System32\drivers\'
- 'C:\Windows\SysWOW64\drivers\'
condition: selection_name or (selection_unsigned and not filter_standard_paths)
falsepositives:
- Third-party hardware drivers during installation
level: critical
# SYNTHETIC — Sigma rule: Rundll32 loading DLL from ProgramData
title: Rundll32 Executing DLL from ProgramData Directory
id: synthetic-sigma-005-novacorp
status: experimental
description: >
Detects rundll32.exe loading DLLs from the ProgramData directory,
which is commonly abused for malware staging and persistence.
SYNTHETIC RULE.
references:
- https://attack.mitre.org/techniques/T1218/011/
author: NovaCorp IR Team (SYNTHETIC)
date: 2026/03/12
tags:
- attack.defense_evasion
- attack.t1218.011
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains: '\ProgramData\'
condition: selection
falsepositives:
- Some legitimate software updaters use ProgramData
level: high
MITRE ATT&CK Mapping¶
| Technique ID | Technique Name | Tactic | Lab Evidence |
|---|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Initial Access (TA0001) | Invoice email with invoice_Q1.pdf.exe dropper |
| T1204.002 | User Execution: Malicious File | Execution (TA0002) | User jdoe opened the malicious attachment |
| T1059.003 | Command and Scripting: Windows Command Shell | Execution (TA0002) | cmd.exe spawned by hollowed svchost.exe |
| T1055.012 | Process Injection: Process Hollowing | Defense Evasion (TA0005) | svchost.exe (PID 4872) hollowed with SHADOWBYTE RAT |
| T1055.001 | Process Injection: DLL Injection | Defense Evasion (TA0005) | Credential harvester injected into lsass.exe (PID 712) |
| T1055.003 | Process Injection: Reflective DLL Loading | Defense Evasion (TA0005) | SHADOWBYTE core module loaded reflectively (no PEB entry) |
| T1014 | Rootkit | Defense Evasion (TA0005) | NIGHTCRAWLER kernel driver with SSDT hooks and DKOM |
| T1036.005 | Masquerading: Match Legitimate Name | Defense Evasion (TA0005) | svchst.exe typosquatting svchost.exe |
| T1547.001 | Boot/Logon Autostart: Registry Run Keys | Persistence (TA0003) | NovaCorp Update Agent Run key |
| T1543.003 | Create/Modify System Process: Windows Service | Persistence (TA0003) | NightCrawlerSvc kernel driver service |
| T1053.005 | Scheduled Task | Persistence (TA0003) | NetComplianceCheck task running compliance.dll |
| T1003.001 | OS Credential Dumping: LSASS Memory | Credential Access (TA0006) | Credential harvester module in lsass.exe memory |
| T1087.002 | Account Discovery: Domain Account | Discovery (TA0007) | net.exe and nltest.exe execution |
| T1016 | System Network Configuration Discovery | Discovery (TA0007) | ipconfig.exe execution |
| T1033 | System Owner/User Discovery | Discovery (TA0007) | whoami.exe execution |
| T1021.002 | Remote Services: SMB/Windows Admin Shares | Lateral Movement (TA0008) | SMB connections to 10.20.3.15 and 10.20.3.20 |
| T1071.001 | Application Layer Protocol: Web Protocols | Command and Control (TA0011) | HTTPS C2 to 198.51.100.47:443 |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | Command and Control (TA0011) | AES-256-CBC encrypted C2 traffic |
| T1571 | Non-Standard Port | Command and Control (TA0011) | Secondary C2 on port 8443; backdoor on port 49670 |
| T1041 | Exfiltration Over C2 Channel | Exfiltration (TA0010) | Exfil staging domain resolved in DNS cache |
| T1074.001 | Data Staged: Local Data Staging | Collection (TA0009) | C:\ProgramData\NovaCorp\ staging directory |
| T1559.001 | Inter-Process Communication: Component Object Model | Execution (TA0002) | Named pipe \\.\pipe\shadowbyte_cred for IPC |
| T1027 | Obfuscated Files or Information | Defense Evasion (TA0005) | Encrypted config.dat configuration file |
Challenge Exercises¶
Challenge 1: Server Memory Analysis
Analyze the second memory dump (srv-app-015_20260312_1518.raw) from the application server. Determine:
- What processes did PHANTOM-VIPER deploy on the server?
- Was the NIGHTCRAWLER rootkit installed on this host as well?
- What credentials were harvested from the server's LSASS process?
- Were there any additional C2 channels or lateral movement to other hosts?
Write a comparison report showing how the server compromise differed from the workstation.
Hints
- Start with
windows.pslistandwindows.psscanto find hidden processes - Check for PsExec artifacts — PHANTOM-VIPER used SMB for lateral movement, which often involves PsExec or similar tools
- The server runs domain services, so
lsass.exewill contain more credentials than the workstation - Look for
svchst.exeor similar typosquatted process names
Challenge 2: YARA Rule Development
Write YARA rules to detect the SHADOWBYTE and NIGHTCRAWLER malware families based on the artifacts extracted in this lab. Your rules should detect:
- The SHADOWBYTE RAT core module (exported function names, strings)
- The NIGHTCRAWLER rootkit driver (service key name, SSDT hook patterns)
- The credential harvesting DLL (named pipe string, import patterns)
Test your rules against the dumped files from Exercise 5.
Hints
Use strings like "SHADOWBYTE-CRED v2.1", "BeaconMain", "ReflectiveLoader", "NightCrawlerSvc", and "shadowbyte_cred" as detection anchors. Combine with PE structure checks (uint16(0) == 0x5A4D) for precision.
rule SYNTHETIC_SHADOWBYTE_RAT {
meta:
description = "Detects SHADOWBYTE RAT core module (SYNTHETIC)"
author = "NovaCorp IR Team"
date = "2026-03-12"
hash = "SYNTHETIC-HASH-SHA256-update-agent-aabbccdd11223344556677889900aabbcc"
tlp = "RED"
strings:
$export1 = "ReflectiveLoader" ascii
$export2 = "BeaconMain" ascii
$export3 = "ShadowbyteInit" ascii
$str1 = "SHADOWBYTE" ascii wide
$str2 = "198.51.100.47" ascii
$str3 = "novacorp-cdn.example" ascii
$pipe = "shadowbyte_cred" ascii
condition:
uint16(0) == 0x5A4D and
(2 of ($export*) or (1 of ($export*) and 2 of ($str*)) or $pipe)
}
Challenge 3: Remediation Playbook
Based on your findings, draft a remediation playbook for NovaCorp Financial that addresses:
- Immediate containment actions (network isolation, credential reset scope)
- Rootkit removal procedures (cannot be done from running OS — requires offline boot)
- Persistence mechanism cleanup (all three mechanisms must be removed)
- Credential reset scope (which accounts were compromised?)
- Network IOC blocking (firewall rules, DNS sinkholing)
- Long-term hardening recommendations (LSA protection, Credential Guard, driver signing enforcement)
Map each remediation step to the corresponding ATT&CK technique it addresses.
Hints
- Prioritize containment: isolate
ws-fin-042,srv-app-015, andsrv-files-020immediately - The rootkit requires offline removal — boot from a clean USB/WinPE and delete
ncrawler.sys, then clean the Services registry key - Reset passwords for:
jdoe,admin.smith,svc-sqlprod,svc-backup, and the local Administrator account - Block all four C2 IPs and all four malicious domains at the perimeter firewall and DNS resolver
- Enable LSA Protection (
RunAsPPL) and Credential Guard to prevent future LSASS credential harvesting - Enforce driver signing policies to prevent unsigned kernel drivers like NIGHTCRAWLER
Answers and Solutions¶
Exercise 1 Answers — Process Analysis
Q: Which PID is the primary SHADOWBYTE RAT process? A: PID 4872 (svchost.exe) — process-hollowed, created at 2026-03-10 09:17:44 UTC
Q: What evidence confirms process hollowing? A: Two indicators: (1) PAGE_EXECUTE_READWRITE protection on the main executable VAD at 0x00400000, and (2) missing FileObject reference in the VAD entry. Legitimate svchost.exe uses PAGE_EXECUTE_READ and maintains a FileObject pointing to \Windows\System32\svchost.exe.
Q: How many processes are hidden from the standard process list? A: Two processes: PID 5552 (conhost.exe) and PID 5620 (svchst.exe). Both were found by psscan (pool tag scanning) but not by pslist (linked list traversal), confirming DKOM-based hiding.
Q: What reconnaissance commands did the attacker run? A: Two waves of reconnaissance:
- Wave 1 (2026-03-10 09:18):
whoami.exeandipconfig.exe— basic host identification - Wave 2 (2026-03-12 02:15):
net.exeandnltest.exe— domain enumeration and trust mapping
Q: Why does PID 4872 not appear in the service control manager? A: Because PID 4872 was created via process hollowing, not through the legitimate Service Control Manager (SCM). A real svchost.exe is always started by services.exe with a -k group flag and is registered in the SCM database. PID 4872 has no SCM entry and no -k flag, confirming it is not a legitimate service host.
Exercise 2 Answers — Network Forensics
Q: What are the primary and secondary C2 IP addresses? A: Primary: 198.51.100.47:443 (HTTPS). Secondary: 198.51.100.23:8443 (non-standard HTTPS port).
Q: How was the initial payload delivered? A: Chrome (PID 3104) connected to 203.0.113.5:80 at 09:14:55 on 2026-03-10, downloading the dropper. The DNS cache shows this IP resolved from downloads.update-service.example.
Q: Which internal hosts did the attacker move laterally to? A: Two hosts via SMB (port 445): srv-app-015.novacorp.example (10.20.3.15) and srv-files-020.novacorp.example (10.20.3.20).
Q: What is the purpose of port 49670? A: PID 4872 opened a LISTENING socket on port 49670 as a local backdoor, likely for bind-shell access or additional tool deployment from within the network.
Q: What is the significance of exfil-drop.phantom-viper.example? A: This domain was resolved in the DNS cache at 14:25 on 2026-03-12, just before SOC detection at 14:37. It resolves to 198.51.100.99 and was likely being prepared as an exfiltration destination. The attack may have been detected before exfiltration was completed.
Exercise 3 Answers — Code Injection Detection
Q: How many distinct code injection findings did malfind report? A: Four findings across three processes:
- PID 4872 at
0x00400000— PE header (process hollowing) - PID 4872 at
0x02a10000— Shellcode (API-hashing stub) - PID 712 at
0x03f50000— PE header (DLL injection into lsass.exe) - PID 5620 at
0x00400000— PE header (NIGHTCRAWLER binary)
Plus the reflective DLL at 0x04500000 in PID 4872, which malfind also detects.
Q: What technique was used to inject into lsass.exe? A: Reflective DLL injection (T1055.003). The injected module does not appear in the PEB's InLoadOrderModuleList, meaning it was loaded using a custom PE loader that manually maps sections, resolves imports, and calls DllMain without using LoadLibrary. This evades DLL monitoring tools that inspect the PEB.
Q: What is the named pipe used for? A: \\.\pipe\shadowbyte_cred provides inter-process communication between the credential harvesting module (injected in lsass.exe, PID 712) and the SHADOWBYTE RAT core (PID 4872). Harvested credentials are sent through the pipe to the RAT, which exfiltrates them over the C2 channel.
Q: What does the decrypted configuration reveal? A: The SHADOWBYTE RAT configuration contains: C2 infrastructure (three tiers: primary, secondary, fallback), beacon interval (60 seconds with 20% jitter), encryption algorithm (AES-256-CBC), campaign identifier (NOVACORP-2026-Q1), user-agent string for blending with browser traffic, and a kill date (2026-06-30) suggesting a time-limited operation.
Exercise 4 Answers — Rootkit Detection
Q: How many SSDT entries are hooked and what do they do? A: Four hooks:
NtCreateFile(0x003E) — Intercepts file creation/access to hide rootkit filesNtEnumerateValueKey(0x0052) — Hides rootkit registry values from enumerationNtQueryDirectoryFile(0x0055) — Filters rootkit files from directory listingsNtQuerySystemInformation(0x0098) — Filters rootkit processes from system queries (Task Manager)
Q: How was the rootkit driver hidden? A: The NIGHTCRAWLER driver (\Driver\ncrawler at 0xfffff807DEAD0000) was unlinked from the PsLoadedModuleList using DKOM, the same technique used to hide user-mode processes. The driverscan plugin found it through pool tag scanning, which does not rely on the linked list.
Q: What is the purpose of the hooked IDT entry? A: INT 0xE1 was hooked to provide a covert communication channel between user-mode SHADOWBYTE components and the kernel-mode NIGHTCRAWLER rootkit. User-mode code can trigger INT 0xE1 to request kernel-mode services (process hiding, file hiding) without using standard syscall interfaces that might be monitored.
Q: How does the rootkit maintain persistence across reboots? A: Through a Windows service registry entry at HKLM\SYSTEM\CurrentControlSet\Services\NightCrawlerSvc with Start = 1 (System Start), meaning the driver loads early in the boot process before most security tools initialize. The service uses a deceptive display name ("Windows Network Compliance Driver") to avoid suspicion.
Exercise 5 Answers — Timeline & IOC Extraction
Q: What is the complete attack timeline? A:
- 2026-03-10 09:14:30 — User
jdoeopensinvoice_Q1.pdf.exe(initial access via phishing) - 2026-03-10 09:14:55 — Dropper downloads payload from
203.0.113.5via Chrome - 2026-03-10 09:17:44 — SHADOWBYTE RAT deployed via process hollowing into svchost.exe (PID 4872)
- 2026-03-10 09:17:46 — Backdoor listener opened on port 49670
- 2026-03-10 09:17:48 — NIGHTCRAWLER rootkit driver installed and loaded
- 2026-03-10 09:17:50 — Hidden console host (PID 5552) and NIGHTCRAWLER user-mode component (PID 5620) deployed
- 2026-03-10 09:18:02-05 — Initial reconnaissance:
whoami,ipconfig - 2026-03-10 09:18:15-20 — Persistence mechanisms installed: Run key, scheduled task
- 2026-03-12 02:15:30-40 — Second reconnaissance wave:
net,nltest, LDAP queries to DC - 2026-03-12 02:16:10 — Lateral movement to
srv-app-015via SMB - 2026-03-12 02:20:45 — Lateral movement to
srv-files-020via SMB - 2026-03-12 14:25:00 — Exfiltration staging domain resolved
- 2026-03-12 14:37:00 — SOC detects anomalous beaconing
- 2026-03-12 15:02:33 — Memory dump acquired from workstation
Q: How many persistence mechanisms were identified? A: Three: (1) Registry Run key, (2) kernel driver service, (3) scheduled task.
Q: How many total IOCs were extracted? A: 30+ indicators across 7 categories: 4 IPs, 4 domains, 5 file hashes, 5 filenames, 3 file paths, 3 registry keys, 1 named pipe, 1 scheduled task, 1 port, 1 user-agent, 1 process name, 1 mutex.
Q: What credentials were compromised? A: Local accounts (Administrator, jdoe, svc-backup) from SAM dump, plus cached domain credentials for jdoe, admin.smith, and svc-sqlprod from the domain cache, plus LSA secrets including service account passwords.
Key Lessons Learned¶
-
Memory forensics reveals what disk forensics cannot. Process hollowing, reflective DLL injection, and in-memory-only payloads leave minimal disk footprint. Without memory analysis, the SHADOWBYTE credential harvester in lsass.exe and the reflective RAT core module would have been missed entirely.
-
Cross-view analysis is essential for rootkit detection. The NIGHTCRAWLER rootkit successfully hid from standard process and module enumeration. Only by comparing linked-list traversal (pslist/modules) with pool tag scanning (psscan/driverscan) were the hidden components discovered.
-
Multiple persistence mechanisms indicate a sophisticated threat actor. PHANTOM-VIPER installed three independent persistence mechanisms (registry, service, scheduled task) to ensure survival even if one is discovered and removed. Remediation must address all three simultaneously.
-
Timeline correlation tells the story. By combining process creation times, network connection timestamps, and DNS cache entries, we reconstructed a coherent attack narrative spanning two days — from initial phishing to lateral movement to exfiltration preparation.
-
Named pipes and covert channels enable modular malware architecture. The SHADOWBYTE toolkit uses named pipes for inter-process communication and a custom IDT interrupt for kernel-user communication, allowing modular components to cooperate without generating easily detected network traffic.
Cross-References¶
- Chapter 27: Digital Forensics — Forensic acquisition and analysis fundamentals
- Chapter 28: Advanced Incident Response — IR methodology and containment strategies
- Lab 12: DFIR Artifact Analysis — Disk-based artifact analysis (prerequisite)
- Purple Team Exercise Framework — Adversary emulation exercises
Blank Results Table (Printable)¶
Copy this template for your own memory forensics investigations.
| # | Artifact Type | PID/Source | Description | Timestamp | ATT&CK Technique | IOC Value | Confidence | Notes |
|---|---|---|---|---|---|---|---|---|
| 1 | ||||||||
| 2 | ||||||||
| 3 | ||||||||
| 4 | ||||||||
| 5 | ||||||||
| 6 | ||||||||
| 7 | ||||||||
| 8 | ||||||||
| 9 | ||||||||
| 10 | ||||||||
| 11 | ||||||||
| 12 | ||||||||
| 13 | ||||||||
| 14 | ||||||||
| 15 |
Processes Analyzed: ___ | Hidden Processes Found: ___ | Injected Regions: ___ | IOCs Extracted: ___