# Boss Of The Soc V1 **Scenario 1 (APT)**: The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack. In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference "P01s0n1vy." In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.

**Scenario 2 (Ransomeware)**: In the second scenario, one of your users is greeted by this image on a Windows desktop that is claiming that files on the system have been encrypted and payment must be made to get the files back. It appears that a machine has been infected with Cerber ransomware at Wayne Enterprises and your goal is to investigate the ransomware with an eye towards reconstructing the attack.

### **Challenge Questions** **Question 1:** What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation. **Answer: splunk** **Question 2:** What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities? ```splunk-spl index=* sourcetype="stream:http" imreallynotbatman.com ```

```splunk-spl index=* sourcetype="stream:http" imreallynotbatman.com src_ip="40.80.148.42" ```

**Answer: 40.80.148.42** **Question 3:** What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”) **Answer: Acunetix** **Question 4:** What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as. , ! ? in your answer. We are looking for alpha characters only.)

Joomla is the content management system that the website is using. **Answer: joomla** **Question 5:** What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).
```splunk-spl index=* sourcetype="stream:http" c_ip="192.168.250.70" | stats count by url ```

**Answer: poisonivy-is-coming-for-you-batman.jpeg** **Question 6:** This attack used dynamic DNS to resolve the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack? ```splunk-spl index=* sourcetype="stream:http" c_ip="192.168.250.70" | stats count by url ```

**Answer: prankglassinebracket.jumpingcrab.com** **Question 7:** What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises? ```splunk-spl index=* sourcetype="stream:http" imreallynotbatman.com ```

```splunk-spl index=* sourcetype="stream:http" imreallynotbatman.com src_ip="23.22.63.114" ```

We will do this by using the free third-party tool called Virustotal, go to and enter the IP address that you would like to investigate. Once you enter the IP address, go to the relations tab.

**The answer is 23.22.63.114.** **Question 8:** Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group? , I will use an open-source intelligence platform called [AlienVault](https://otx.alienvault.com/). Go to [AlienVault](https://otx.alienvault.com/) and then type in the IP address we have retrieved 23.22.63.114

then Go to [**https://www.whoxy.com/whois-history/demo.php**](https://www.whoxy.com/whois-history/demo.php) **and type** po1s0n1vy.com

**Answer: ** **Question 9:** What IP address is likely attempting a brute force password attack against imreallynotbatman.com? ```splunk-spl index=* sourcetype="stream:http" imreallynotbatman.com src_ip="23.22.63.114" | stats count by form_data ```

**Answer: 23.22.63.114** **Question 10:** What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”) ```splunk-spl index=* imreallynotbatman.com *.exe* dest="192.168.250.70" | stats count by filename ```

**Answer: 3791.exe** **-**
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/boss-of-the-soc-v1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.