What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
What volatility2 profile is the most appropriate for this machine. imageinfo will take a long try to figure another way to determine the profile? (ex: Win10x86_14393)
What is the computer's name?
What is the system IP address?
How many established network connections were at the time of acquisition?
What is the PID of explorer.exe?
What is the title of the webpage the admin visited using IE?
What company developed the program used for memory acquisition?
What is the administrator user password?
What is the version of the WebLogic server installed on the system?
The admin set a port forward rule to redirect the traffic from the public port to the WebLogic admin portal port. What is the public and WebLogic admin portal port number? Format PublicPort:WebLogicPort (22:1337)
The attacker gain access through WebLogic Server. What is the PID of the process responsible for the initial exploit?
what is the PID of the next entry to the previous process? (Hint: ActiveProcessLinks list)
How many threads does the process responsible for the initial exploit have?
The attacker gain access to the system through the webserver. What is the CVE number of the vulnerability exploited?
The attacker used the vulnerability he found in the webserver to execute a reverse shell command to his own server. Provide the IP and port of the attacker server? Format: IP:port
multiple files were downloaded from the attacker's web server. Provide the Command used to download the PowerShell script used for persistence?
What is the MITRE ID related to the persistence technique the attacker used?
After maintaining persistence, the attacker dropped a cobalt strike beacon. Try to analyze it and provide the Publickey_MD5.