• DFIR Tools
  • Tracking Meterpreter Footprints with Volatility and Perl

Tracking Meterpreter Footprints with Volatility and Perl

83

What is the scenario?

  • The following lesson shows you how to take memory analysis one step further, by identifying if a Meterpreter session is attached to an exploited process and/or remote connection.? Meterpreter sessions are difficult to track, because they use DLL injections by inserting code into a running process.? We are manually going to walk through various Volatility Plug-ins and dissect the ramifications of DLLs used; Child Processes spawned; Privileges Gain; Security Identifiers acquired and inherited; and Malware positively identified.? Then, we will visually connect the dots using a Perl script to automate the Meterpreter Volatility Analysis to generate a report.

User comments

There are no user comments for this listing.
Already have an account? or Create an account