Boss Of The SOC v1 Lab
Q2) Web Defacement: What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
| eventcount summarize=false index=* | table index

| metadata type=sourcetypes

index="botsv1" sourcetype="stream:http" imreallynotbatman.com

Answer: joomla
Q3) Web Defacement: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
index=botsv1 sourcetype=suricata http.hostname=imreallynotbatman.com
| table src_ip
| stats count by src_ip
| sort -count reverse
#OR
index="botsv1" sourcetype="stream:http" imreallynotbatman.com

Answer: 40.80.148.42
Q4) Web Defacement: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")
index="botsv1" sourcetype="suricata" imreallynotbatman.com
| stats count by alert.signature

Answer: acunetix
Q5) Web Defacement: What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
index="botsv1" sourcetype="stream:http" imreallynotbatman.com
| stats count by c_ip, status

index="botsv1" sourcetype="stream:http" imreallynotbatman.com c_ip=23.22.63.114

index="botsv1" sourcetype="stream:http" imreallynotbatman.com http_method=POST
| stats count by c_ip, form_data

Answer: 23.22.63.114
Q6) Web Defacement: What was the first brute force password used?
index="botsv1" sourcetype="stream:http" imreallynotbatman.com http_method=POST c_ip="23.22.63.114"
| stats count by form_data, _time
| sort _time

Answer: 12345678
Q7) Web Defacement: What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")
index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST *.exe

Answer: 3791.exe
Q8) Web Defacement: What is the MD5 hash of the executable uploaded?
index=botsv1 sourcetype=* "3791.exe" EventCode=1
#OR
index=botsv1 sourcetype=* CommandLine=3791.exe
Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0
Q9) Web Defacement: What was the correct password for admin access to the content management system running "imreallynotbatman.com"?
index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)"
| stats count by password

Answer: batman
Q10) Web Defacement: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").
index=botsv1 sourcetype=stream:http src_ip=192.168.250.70

Answer: poisonivy-is-coming-for-you-batman.jpeg
Q11) Web Defacement: This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
index=botsv1 sourcetype="stream:dns" "23.22.63.114"

Answer: prankglassinebracket.jumpingcrab.com
Q12) Web Defacement: What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Answer: 23.22.63.114
Q13) Web Defacement: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
Using whoxy.com.

Answer: lillian.rose@po1s0n1vy.com
Q14) Web Defacement: GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.


Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
Q15) Web Defacement: What is the special hex code associated with the customized malware discussed in the previous question?

Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
Q16) Web Defacement: One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.

Answer: 31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74
Q17) Web Defacement: One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?

Answer: yellow
Q18) Web Defacement: What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")
index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)"
| eval password_length=length(password)
| stats avg(password_length) as average_password_length

Answer: 6
Q19) Web Defacement: How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.
index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)"
| search password="batman"
| transaction password
| table duration
| eval rounded_duration = round(duration, 2)

Answer: 92.17
Q20) Web Defacement: How many unique passwords were attempted in the brute force attempt?
index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)"
| dedup password
| stats count by password

Answer: 412
Q21) Ransomware: What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?
index=botsv1 src_ip="192.168.250.100" source="stream:dns" NOT query{}=*.arpa AND NOT query{}=*.microsoft.com AND NOT query{}=*.msn.com AND NOT query{}=*.info AND NOT query{}=*.local AND query{}=*.*
| table dest_ip _time query{}
| sort by _time desc

Answer: cerberhhyed5frqa.xmfir0.win
Q22) Ransomware: What was the most likely IP address of we8105desk in 24AUG2016?
index=botsv1 host=we8105desk
| stats count by SourceIp

Answer: 192.168.250.100
Q23) Ransomware: Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)
index=botsv1 sourcetype="suricata" "cerber"
| stats count by alert.signature, alert.signature_id
| table alert.signature, alert.signature_id, count

Answer: 2816763
Q24) Ransomware: The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?
index=botsv1 sourcetype="xmlwineventlog" vbs 121214.tmp
| table ParentImage, ParentProcessId, Image, ProcessId, CommandLine

Answer: 3968
Q25) Ransomware: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?
index=botsv1 sourcetype="xmlwineventlog" *.vbs
| eval cmdlength=length(CommandLine)
| table _time, CommandLine, cmdlength

Answer: 4490
Q26) Ransomware: The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?
index="botsv1" sourcetype="suricata" dest_ip=192.168.250.100
| dedup http.hostname
| stats count by dest_ip, http.hostname

index="botsv1" sourcetype="suricata" dest_ip=192.168.250.100 http.hostname="solidaritedeproximite.org"

Answer: mhtr.jpg
Q27) Ransomware: Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?
Answer: steganography
Q28) Ransomware: What is the name of the USB key inserted by Bob Smith?
index="botsv1" sourcetype="winregistry" host=we8105desk *usb*
| table registry_value_data
| dedup registry_value_data

Answer: MIRANDA_PRI
Q29) Ransomware: Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?
index="botsv1" sourcetype="stream:smb" src_ip=192.168.250.100
| stats count by dest_ip

Answer: 192.168.250.20
Q30) Ransomware: How many distinct PDFs did the ransomware encrypt on the remote file server?
index=botsv1 host=we9041srv
| where like(Relative_Target_Name, "%.pdf")
| stats dc(Relative_Target_Name)

Answer: 257
Q31) Ransomware: The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?
index=botsv1 bob.smith sourcetype="xmlwineventlog" TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt" | stats dc(TargetFilename)

Answer: 406
Q32) Ransomware: What was the first suspicious domain visited by we8105desk in 24AUG2016?
index=botsv1 src_ip="192.168.250.100" source="stream:dns" NOT query{}=*.arpa AND NOT query{}=*.microsoft.com AND NOT query{}=*.msn.com AND NOT query{}=*.info AND NOT query{}=*.local AND query{}=*.*
| table dest_ip _time query{}
| sort by _time desc

Answer: solidaritedeproximite.org
Last updated