Boss of the SOC V1 - Web Defacement
Last updated
Last updated
Task: Today is Alice's first day at the Wayne Enterprises' Security Operations Center. Lucius sits Alice down and gives her first assignment: A memo from Gotham City Police Department (GCPD). Apparently GCPD has found evidence online (http://pastebin.com/Gw6dWjS9) that the website www.imreallynotbatman.com hosted on Wayne Enterprises' IP address space has been compromised. The group has multiple objectives... but a key aspect of their modus operandi is to deface websites in order to embarrass their victim. Lucius has asked Alice to determine if www.imreallynotbatman.com. (the personal blog of Wayne Corporations CEO) was really compromised.
Q1) What is the likely IPv4 address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
Let's begin by identifying the available indexes.
Next, we will identify the available sourcetypes within the botsv1 index.
Now that we have identified the index and sourcetypes, let's proceed with retrieving the attacker's IP address responsible for scanning our website.
We have identified two IP addresses that are generating an excessive number of requests to our website. Now, let's filter the logs for the IP address 40.80.148.42 to analyze its activity in detail.
Answer: 40.80.148.42
Q2) What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name.
Let's review the Suricata alerts to identify any valuable insights.
Answer: Acunetix
Q3) What content management system is imreallynotbatman.com likely using?
Answer: Joomla
Q4) What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with extension?
Let's filter the logs based on the source IP address of our website.
Answer: poisonivy-is-coming-for-you-batman.jpeg
Q5) This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?
Now, let's utilize the sourcetype stream:dns to retrieve the Fully Qualified Domain Name (FQDN) associated with the malicious IP.
It did not return any results. Let's proceed with analyzing the attacker's second IP, which also sent a high volume of requests within a short timeframe.
Answer: prankglassinebracket.jumpingcrab.com
Q6) What IPv4 address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Let's conduct a search on VirusTotal using the attacker's second IP address to gather any relevant intelligence.
Answer: 23.22.63.114
Q7) What IPv4 address is likely attempting a brute force password attack against imreallynotbatman.com?
Answer: 23.22.63.114
Q8) What is the name of the executable uploaded by Po1s0n1vy? Answer guidance: Please include file extension. (For example, "notepad.exe" or "favicon.ico")
Answer: 3791.exe
Q9) What is the MD5 hash of the executable uploaded?
Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0
Q10) GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vys initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
Let's conduct a search for the IP address 23.22.63.114 on VirusTotal to identify any associated files.
Let's click on the file named "MirandaTateScreensaver.scr.exe".
Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
Q11) What special hex code is associated with the customized malware discussed in question 11?
From the community tab:
Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
Q12) What was the first brute force password used?
Answer: 12345678
Q13) One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. We are looking for a six character word on this one. Which is it?
Answer: yellow
Q14) What was the correct password for admin access to the content management system running "imreallynotbatman.com"?
The only password that appears twice is "batman." Let's verify whether this was the password that granted the attacker access.
The attacker initiated a brute-force attack using the IP address 23.22.63.114 to gain access to the admin account. Less than two minutes later, a successful login was recorded from a different IP address: 40.80.148.42.
Answer: batman
Q15) What was the average password length used in the password brute forcing attempt? Answer guidance: Round to closest whole integer. For example "5" not "5.23213"
Answer: 6
Q16) How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login?
Answer: 92.17
Q17) How many unique passwords were attempted in the brute force attempt?
Answer: 412
