Boss Of The Soc V1
Last updated
Last updated
Scenario 1 (APT):
The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.
In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference "P01s0n1vy." In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.
Scenario 2 (Ransomeware):
In the second scenario, one of your users is greeted by this image on a Windows desktop that is claiming that files on the system have been encrypted and payment must be made to get the files back. It appears that a machine has been infected with Cerber ransomware at Wayne Enterprises and your goal is to investigate the ransomware with an eye towards reconstructing the attack.
Question 1: What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.
Answer: splunk
Question 2: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
Answer: 40.80.148.42
Question 3: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”)
Answer: Acunetix
Question 4: What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as. , ! ? in your answer. We are looking for alpha characters only.)
Joomla is the content management system that the website is using.
Answer: joomla
Question 5: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).
Answer: poisonivy-is-coming-for-you-batman.jpeg
Question 6: This attack used dynamic DNS to resolve the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
Answer: prankglassinebracket.jumpingcrab.com
Question 7: What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
We will do this by using the free third-party tool called Virustotal, go to https://www.virustotal.com/gui/home/search and enter the IP address that you would like to investigate.
Once you enter the IP address, go to the relations tab.
The answer is 23.22.63.114.
Question 8: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
, I will use an open-source intelligence platform called AlienVault.
Go to AlienVault and then type in the IP address we have retrieved 23.22.63.114
then Go to https://www.whoxy.com/whois-history/demo.php and type po1s0n1vy.com
Answer: lillian@po1s0n1vy.com
Question 9: What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
Answer: 23.22.63.114
Question 10: What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”)
Answer: 3791.exe
-
