Tracking Meterpreter Footprints with Volatility and Perl
What is the scenario?
The following lesson shows you how to take memory analysis one step further, by identifying if a Meterpreter session is attached to an exploited process and/or remote connection.? Meterpreter sessions are difficult to track, because they use DLL injections by inserting code into a running process.? We are manually going to walk through various Volatility Plug-ins and dissect the ramifications of DLLs used; Child Processes spawned; Privileges Gain; Security Identifiers acquired and inherited; and Malware positively identified.? Then, we will visually connect the dots using a Perl script to automate the Meterpreter Volatility Analysis to generate a report.