CyberDefenders: Szechuan Sauce CTF Writeup

vol.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win8SP0x64 psxview
vol.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win8SP0x64 pstree
volatility.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win2012R2x64_18340 malfind
volatility.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win2012R2x64_18340 netscan | Select-String “coreupdater”
MFTECmd.exe -f “C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\Analysis\$MFT” — csv “C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\Analysis”
volatility.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win2012R2x64_18340 filescan | Select-String “coreupdater”
volatility.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win2012R2x64_18340 netscan | Select-String ‘(coreupdater|spoolsv)’
john hashes.txt.ntds — format=NT
vol.exe -f C:\Users\SANSDFIR\Documents\c15-SzechuanSauce\citadeldc01.mem — profile=Win2012R2x64_18340 getsids -p 3644

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ellis Stannard

Ellis Stannard

79 Followers

Digital Forensics, Incident Response and Threat Hunting things.