| Description | This article describes how to analyze process memory dumps obtained from the FortiEDR management console. |
| Scope | FortiEDR. |
| Solution |
The FortiEDR management console allows end users to retrieve memory dumps from running processes that have been flagged as suspicious, as long as their threads are still running and not terminated by the collector that detected the event. or any other applications installed on the endpoint.
There exist tools that facilitate the analysis of system-wide memory dumps, such as Volatility, which is capable of returning detailed information on the system itself when the dump was taken (running connections, open connections).
In this case, WinDbg may be a better option to analyze process dumps retrieved from the FortiEDR management console, as the dump contains information only from one specific process.
In the following example, a memory dump was retrieved from notepad.exe, which triggered a suspicious event in FortiEDR. Once the dump is loaded in WinDbg, run the following command to check what modules were loaded into the process memory:
lm
From the output above, mswsock.dll stands out as something that should not be loaded by notepad.exe, which should not be making any socket connections in a standard Windows system.
Run the following command to return more information regarding the loaded module:
lmv m mswsock
Further analysis of loaded modules is possible with WinDbg. The following image shows the PE signatures (NT Headers (IMAGE_NT_HEADERS)) returned for mswsock.dll (MZ) and notepad.exe (PE), respectively, by adding each module's e_lfanew offsets to their base addresses:
A dive into the PE file format is a good start to learn more about the PE file structure and understand how tactics like process hollowing and fileless module loading work. |
