FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  1. CyberDefenders

Boss Of The SOC v1 Lab

PreviousOpenfire LabNextGoldenSpray Lab

Last updated 6 months ago

Q2) Web Defacement: What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)

| eventcount summarize=false index=* | table index
| metadata type=sourcetypes
index="botsv1" sourcetype="stream:http" imreallynotbatman.com

Answer: joomla

Q3) Web Defacement: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

index=botsv1 sourcetype=suricata http.hostname=imreallynotbatman.com 
| table src_ip 
| stats count by src_ip 
| sort -count reverse

#OR
index="botsv1" sourcetype="stream:http" imreallynotbatman.com

Answer: 40.80.148.42

Q4) Web Defacement: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")

index="botsv1" sourcetype="suricata" imreallynotbatman.com
| stats count by alert.signature

Answer: acunetix

Q5) Web Defacement: What IP address is likely attempting a brute force password attack against imreallynotbatman.com?

index="botsv1" sourcetype="stream:http"  imreallynotbatman.com 
| stats count by c_ip, status
index="botsv1" sourcetype="stream:http"  imreallynotbatman.com c_ip=23.22.63.114
index="botsv1" sourcetype="stream:http"  imreallynotbatman.com http_method=POST 
| stats count by c_ip, form_data

Answer: 23.22.63.114

Q6) Web Defacement: What was the first brute force password used?

index="botsv1" sourcetype="stream:http"  imreallynotbatman.com http_method=POST c_ip="23.22.63.114"
| stats count by form_data, _time 
| sort _time

Answer: 12345678

Q7) Web Defacement: What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST *.exe

Answer: 3791.exe

Q8) Web Defacement: What is the MD5 hash of the executable uploaded?

index=botsv1 sourcetype=* "3791.exe" EventCode=1
#OR
index=botsv1 sourcetype=* CommandLine=3791.exe

Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0

Q9) Web Defacement: What was the correct password for admin access to the content management system running "imreallynotbatman.com"?

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php 
| rex field=form_data "passwd=(?<password>\w+)" 
| stats count by password

Answer: batman

Q10) Web Defacement: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").

index=botsv1 sourcetype=stream:http src_ip=192.168.250.70

Answer: poisonivy-is-coming-for-you-batman.jpeg

Q11) Web Defacement: This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?

index=botsv1 sourcetype="stream:dns" "23.22.63.114"

Answer: prankglassinebracket.jumpingcrab.com

Q12) Web Defacement: What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Answer: 23.22.63.114

Q13) Web Defacement: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?

Using whoxy.com.

Answer: lillian.rose@po1s0n1vy.com

Q14) Web Defacement: GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

Q15) Web Defacement: What is the special hex code associated with the customized malware discussed in the previous question?

Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21

Q16) Web Defacement: One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.

Answer: 31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74

Q17) Web Defacement: One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?

Answer: yellow

Q18) Web Defacement: What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php 
| rex field=form_data "passwd=(?<password>\w+)" 
| eval password_length=length(password)
| stats avg(password_length) as average_password_length

Answer: 6

Q19) Web Defacement: How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)" 
| search password="batman"
| transaction password
| table duration
| eval rounded_duration = round(duration, 2)

Answer: 92.17

Q20) Web Defacement: How many unique passwords were attempted in the brute force attempt?

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)" 
| dedup password
| stats count by password

Answer: 412

Q21) Ransomware: What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

index=botsv1 src_ip="192.168.250.100" source="stream:dns" NOT query{}=*.arpa AND NOT query{}=*.microsoft.com AND NOT query{}=*.msn.com AND NOT query{}=*.info AND NOT query{}=*.local AND query{}=*.*
| table dest_ip _time query{}
| sort by _time desc

Answer: cerberhhyed5frqa.xmfir0.win

Q22) Ransomware: What was the most likely IP address of we8105desk in 24AUG2016?

index=botsv1 host=we8105desk 
| stats count by SourceIp

Answer: 192.168.250.100

Q23) Ransomware: Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

index=botsv1 sourcetype="suricata" "cerber"
| stats count by alert.signature, alert.signature_id
| table alert.signature, alert.signature_id, count

Answer: 2816763

Q24) Ransomware: The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?

index=botsv1 sourcetype="xmlwineventlog" vbs 121214.tmp
| table ParentImage, ParentProcessId, Image, ProcessId, CommandLine

Answer: 3968

Q25) Ransomware: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

index=botsv1 sourcetype="xmlwineventlog" *.vbs
| eval cmdlength=length(CommandLine) 
| table _time, CommandLine, cmdlength

Answer: 4490

Q26) Ransomware: The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?

index="botsv1"  sourcetype="suricata" dest_ip=192.168.250.100 
| dedup http.hostname
| stats count by dest_ip, http.hostname
index="botsv1"  sourcetype="suricata" dest_ip=192.168.250.100 http.hostname="solidaritedeproximite.org"

Answer: mhtr.jpg

Q27) Ransomware: Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?

Answer: steganography

Q28) Ransomware: What is the name of the USB key inserted by Bob Smith?

index="botsv1"  sourcetype="winregistry" host=we8105desk *usb* 
| table registry_value_data 
| dedup registry_value_data

Answer: MIRANDA_PRI

Q29) Ransomware: Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

index="botsv1" sourcetype="stream:smb" src_ip=192.168.250.100
| stats count by dest_ip

Answer: 192.168.250.20

Q30) Ransomware: How many distinct PDFs did the ransomware encrypt on the remote file server?

index=botsv1 host=we9041srv 
| where like(Relative_Target_Name, "%.pdf") 
| stats dc(Relative_Target_Name)

Answer: 257

Q31) Ransomware: The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?

index=botsv1 bob.smith sourcetype="xmlwineventlog"  TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt" | stats dc(TargetFilename)

Answer: 406

Q32) Ransomware: What was the first suspicious domain visited by we8105desk in 24AUG2016?

index=botsv1 src_ip="192.168.250.100" source="stream:dns" NOT query{}=*.arpa AND NOT query{}=*.microsoft.com AND NOT query{}=*.msn.com AND NOT query{}=*.info AND NOT query{}=*.local AND query{}=*.*
| table dest_ip _time query{}
| sort by _time desc

Answer: solidaritedeproximite.org