CTFProfile

Memory Lane — Reconstructing Attacker TTPs from a Volatility Dump

By forensicfox

comment ▲ 3 upvotes · ▼ 0 downvotes 3 Log in to vote

Red Wire CTF 2025

Challenge: Memory Lane

Full walkthrough from image acquisition to lateral movement timeline using Volatility 3.

First Pass

Load the image in Volatility 3 and start with process context:


vol.py -f mem.raw windows.pstree

Suspicious: powershell.exe with parent svchost.exe — that's not normal.

Network Pivot


vol.py -f mem.raw windows.netstat

Active outbound TCP on port 4444 from that PID. Classic reverse shell indicator.

Timeline Reconstruction

1. EventID 4624 — successful logon event 2. Scheduled task created via schtasks in the same session 3. PowerShell executes, contacts C2 via DNS beacon 4. Flag string exfiltrated in DNS query TXT field

Decode the hex in the DNS query and you have the flag.

Comments

Log in to comment

webwyrm · Jun 1, 2026 ▲ 0 · ▼ 0 0

The pstree pivot was the key move here. @cipherlynx this one is right up your alley on the TTPs side.