Tags: volatility forensics persistence 



Got a persist.raw file
vol.py -f persist.raw imageinfo

Based on the challenge description, I was looking for something running at startup. I wasted a lot of time trying to manually find the startup programs, either in folders or registry keys manually.

I was not very successfull so I googled the words "windows persistence volatility" to see if there are other ways to look for these things using the many functions of the volatility tool.


My first search result got me a video which was the key to this challenge.


They were using a plugin for volatility called winesap. I was not able to find it in the link they mentioned but I found it on github.


I copied it over to my machine in the folder of the challenge and made sure to follow their instructions to provide this argument first.


I first ran it using the --match flag shown in the video but didn't get any results. So then I removed it in order to show all.

vol.py --plugins winesap/ -f persist.raw --profile Win7SP1x86_23418 winesap

The first result was exactly what I was looking for. What seems to be a powershell script that has a base64 encoded payload.


The flag was hiding in that payload:


Original writeup (https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Cyber%20Santa%20is%20Coming%20to%20Town%202021/Forensics/Persist.md).