Defensive Security Tooling: REMnux: Getting Started

In this article, I will write a write-up for REMnux: Getting Started that covers Machine Access, File Analysis, Fake Network to Aid Analysis, and Memory Investigation: Evidence Preprocessing.

1. What Python tool analyzes OLE2 files, commonly called Structured Storage or Compound File Binary Format? oledump.py

2. What tool parameter we used in this task allows you to select a particular data stream of the file we are using it with? -s

3. During our analysis, we were able to decode a PowerShell script. What command is commonly used for downloading files from the internet? Invoke-WebRequest

4. What file was being downloaded using the PowerShell script? Doc-3737122pdf.exe

5. During our analysis of the PowerShell script, we noted that a file would be downloaded. Where will the file being downloaded be stored? $TempFile

   

   

6. Using the tool, scan another file named possible_malicious.docx located in the /home/ubuntu/Desktop/tasks/agenttesla/ directory. How many data streams were presented for this file? 16

   

7. Using the tool, scan another file named possible_malicious.docx located in the /home/ubuntu/Desktop/tasks/agenttesla/ directory. At what data stream number does the tool indicate a macro present? 8

   

8. Download and scan the file named flag.txt from the terminal using the command sudo wget MACHINE_IP/flag.txt --no-check-certificate. What is the flag? Tryhackme{remnux_edition}

   

   

9. After stopping the inetsim, read the generated report. Based on the report, what URL Method was used to get the file flag.txt? GET

   

10. What plugin lists processes in a tree based on their parent process ID? PsTree

11. What plugin is used to list all currently active processes in the machine? PsList

12. What Linux utility tool can extract the ASCII, 16-bit little-endian, and 16-bit big-endian strings? strings

13. By running vol3 with the Malfind parameter, what is the first (1st) process identified suspected of having an injected code? csrss.exe

    

14. Continuing from the previous question (Question 6), what is the second (2nd) process identified suspected of having an injected code? winlogon.exe

    

15. By running vol3 with the DllList parameter, what is the file path or directory of the binary @WanaDecryptor@.exe? C:\\Intel\\ivecuqmanpnirkt615

    

Thank you for reading my article. Please leave any questions or comments on improving my learning journey and the Lab THM challenges. We can also connect more on LinkedIn or X.