Blue Team Labs Online - Dot Walkthrough
Scenario: Investigate the host(procmon) and network(pcap) logs captured from a compromised machine. Use ProcDOT to correlate both logs and answer the following questions.
Tool: ProcDOT, ProcMon, Wireshark
Question 1: Attacker downloaded a tool from github.com. What is the process initiated the connection and What is the file name it is saved as?
Question 2: Powershell is used to download files from the attacker machine. What is the process ID of the powershell process that downloaded the first file? Also, what is the attacker machine IP?
Question 3: What is the port from which the second file was downloaded and what is the full path of the downloaded file?
Question 4: Attacker got control over the system after the injection, assuming he used Meterpreter, what is the payload he would have used (written as selected in Metasploit) and what is the port?
Question 5: What is the PID of the victim process on which the injection happened?
Question 6: What is the pid and location of the main malware which initiated these actions?
