Reading Time : 6min
This is Part 1 of two part series, this blog post cover first 14 questions.
Scenario 1 (APT):
The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.
In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference “P01s0n1vy.” In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.
Scenario 2 (Ransomeware):
In the second scenario, one of your users is greeted by this image on a Windows desktop that is claiming that files on the system have been encrypted and payment must be made to get the files back. It appears that a machine has been infected with Cerber ransomware at Wayne Enterprises and your goal is to investigate the ransomware with an eye towards reconstructing the attack.
After setting up our VM we access splunk with 127.0.0.1:8000
Lets start answering
Q1: This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.
Ans: splunk
Detail: We are using splunk enterprise which is made by company named splunk.
Q2: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
Ans: 40.80.148.42
Detail: first lets filter the results by domain name imreallynotbatman.com
Then we will see the source ip addresses that access this domain.
here ip address 40.80.148.42
looks suspicious as it tried to connect to our domain many time in the short period.
by looking at the the user agent field of a request made by this IP address ensure our suspison
Q3. What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”)
Ans: acunetix
Detail: As can be seen in Image above.
Q4. What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
Ans: joomla
Detail: by looking at web request made to imreallynotbatman.com
we can see this in headers
Q5. What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).
poisonivy-is-coming-for-you-batman.jpeg
Detail: first we need to know what is the IP of our web server,
for that we will set 40.80.148.42
as source IP and will check destination IPs related to it.
here we can see that 192.168.250.70
is very noisy as what Vulnerability scanners does. so this must be the IP address for our webserver.
lets use this as source IP and check if it is connecting to any IP addresses
here we can see our initial IP address 40.80.148.42
with most requests and we also see this 23.22.63.114
IP address as well,
Lets set this up as destination address and search for our serch and apply stats filter to it.
Q6. This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
Ans: prankglassinebracket.jumpingcrab.com
Detail: As we can see in above picture that the file is associated with this FQDN
7. What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Ans: 23.22.63.114
Detail: Mentioned Above.
8. Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
Ans: lillian.rose@po1s0n1vy.com
Detail: All we need to do is historical whois lookup for po1s0n1vy.com or waynecorinc.com and we will find this email address as registrar
9. What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
Ans: 23.22.63.114
Detail: we know that bruteforce attempts use POST
method and we are checking 192.168.250.70
, by adding username and password in search query we get these source IPs
here most of the request were made by 23.22.63.114
10. What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”)
Ans: 3791.exe
Detail: Setting up source ip as 40.80.148.42
and destination IP as 192.168.250.70
and applying stats filter we get this result
11. What is the MD5 hash of the executable uploaded?
Ans: AAE3F5A29935E6ABCC2C2754D12A9AF0
12. GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
Ans: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
if we check 23.22.63.114
on virustotal we can see in relations a file MirandaTateScreensaver.scr.exe
an exe file pretending to be a wallpaper.
with sha256 = 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
13. What is the special hex code associated with the customized malware discussed in question 12? (Hint: It’s not in Splunk)
Ans: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
Detail: still on virustotal from Question 12, check community section and you will find this hex code there.
14. One of Po1s0n1vy’s staged domains has some disjointed “unique” whois information. Concatenate the two codes together and submit them as a single answer.
Ans: 31 73 74 32 66 69 6e 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6f 6d 72 79 61 6e 66 69 6e 64 68 69 6d 74 6f 67 65 74
Detail: If we look at historic whois record for waynecorinc.com we can see these two hex strings
All we need to do is concatinate both of them.