A Windows Endpoint was recently compromised. Thanks to our cutting-edge EDR/IDS solution we immediately noticed it. The alert was escalated to Tier 2 (Incident Responders) for further investigation. As our Forensics guy, you were given the memory dump of the compromised host. You should continue to investigate.
https://app.letsdefend.io/challenge/memory-analysis
The SystemTime field inwindows.info plugin output shows the host’s system clock at the time the memory image was captured
List processes: vol.py windows.pslist -f <memory.dmp> (or windows.pstree).
A second lsass.exe instance appears that is not the normal System LSASS. Normal lsass.exe should have wininit.exe (or services.exe depending on Windows) as its parent and only one instance.
The suspicious lsass.exe has an unexpected Parent PID of 3996 which maps to explorer.exe anomalous parent/child relationship for LSASS. Multiple instances + non-standard parent are strong indicators of process masquerading or process hollowing.