Member-only story
THM - Supplemental Memory
A writeup for the room “Supplemental Memory” on TryHackMe
Investigate lateral movement, credential theft, and additional adversary actions in a memory dump.
https://tryhackme.com/room/supplementalmemory
Task 3 - Lateral Movement and Discovery
The memory file can be found in the folder ~/memory/WIN-015.
There is also a folder called ‘precooked’ in the same location that contains some pre-generated volatility results.
The IR team suspects that the threat actor may have performed lateral movement to this host. Which executed process provides evidence of this activity?
As suggested in the task description, we should look for any unusual processes running under service.exe and svchost.exe.
cat precooked/pstree.txt | awk '{ print $1, $2, $3, $4 }'What is the MITRE technique ID associated with the lateral movement method used by the threat actor?
We can simply search online for the name of the process found before looking at the results in the MITRE database.
We are looking for a lateral movement technique based on this process rather than the execution tactic.
