In this lab, we investigate a security incident involving an Oracle WebLogic Server that exhibited suspicious network activity. The organization's network security monitoring (NSM) system flagged unusual outbound connections originating from a web server, prompting a forensic investigation. As a SOC analyst, the objective is to analyze a captured memory dump to determine how the attacker gained access, the techniques used to maintain persistence, and any indicators of compromise (IoCs) that could help understand the full scope of the breach. Memory forensics plays a crucial role in uncovering evidence of advanced attacks, particularly when dealing with threats that operate entirely in memory to evade traditional security defenses. This investigation leverages powerful tools such as Volatility and MemProcFS to extract artifacts from memory, including process execution traces, registry modifications, command-line arguments, and network activity. By carefully analyzing these artifacts, it is possible to trace the attack lifecycle, from initial exploitation to command execution, privilege escalation, and potential data exfiltration.
Throughout this investigation, various forensic techniques will be applied to identify malicious processes, detect unauthorized access methods, and uncover any payloads deployed by the attacker. Special attention will be given to identifying persistence mechanisms, reverse shell connections, and any tools or malware leveraged by the threat actor. Understanding these elements is essential for determining the nature of the attack, assessing its impact, and formulating an effective incident response strategy. By the end of this analysis, we aim to construct a detailed timeline of the attack,