Akira-Lab-CyberDefenders
Introduction
CyberDefenders: Blue team CTF Challenges | Akira
Q1
While analyzing the memory dump, identifying the compromised machine’s network domain affiliation is a crucial step in understanding the attack’s scope. What is the domain to which the infected machine is joined?
Bởi vì yêu cầu tìm kiếm domain máy đã join, do đó các phương án có thể nghĩ đến như tìm tên máy, tìm các kết nối trong mạng LAN,… Vì đề bài chỉ cho chúng ta file memory dump nên sẽ cần phân tích các artifacts có trong này.
Bắt đầu bằng việc sử dụng memprocfs -device memory.dmp -forensic 1 để phân tích artifacts đã được cung cấp. Sau đó sử dụng EvtxECmd để parse các file evtx.
Load kết quả vào TimelineExplorer và tìm các máy xuất hiện.
1
Cydef.enterprise
Q2
Identifying the shared file path accessed by the attacker is crucial for understanding the scope of the breach and determining which files may have been compromised. What is the local path of the file that was shared on the file server?
1
Z:\Shares\data
Q3
Identifying the source of failed RDP connection attempts is crucial for tracing the compromised machine and analyzing the attacker’s behavior. What is the IP address of the machine that attempted to connect to the file serve?
1
192.168.60.129
Q4
Identifying the process name of the attacker’s tool is key to tracking their actions.What is the process name of the tool used by the attacker to remotely execute commands and perform malicious activities on the compromised FileServer?
1
PSEXESVC.exe
Q5
Identifying the attacker’s initial commands helps reveal their intentions and the level of access they gained early in the attack. What was the first command executed by the attacker as part of system enumeration?
1
tasklist
Q6
Understanding the attacker’s method for disabling security measures is crucial for assessing how they gained persistence and weakened the system’s defenses. The attacker executed a series of commands to disable security controls. What is the Process ID (PID) of the first command used to turn off Windows Defender?
1
5344
Q7
Identifying changes to the system’s registry is essential for understanding how the attacker disabled security features, allowing malicious actions to proceed undetected. In an attempt to disable Windows Defender, the attacker modified a specific registry value. What is the name of the registry value that was added or modified under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender?
1
DisableAntiSpyware
Q8
Understanding how the attacker leveraged specific system files is crucial, as it can reveal their methods for accessing sensitive data and escalating privileges. What DLL file did the attacker use in the PowerShell command to dump the targeted process for further exploitation?
1
comsvcs.dll
Q9
Investigating the creation of new accounts is crucial for identifying how the attacker maintains unauthorized access to the system. To establish persistent access, the attacker created a new user account on the compromised system. What is the name of the account that the attacker created?
1
ITadmin_2
Q10
Identifying the URL in the ransom note is vital for understanding the attacker’s communication and data exposure threats. The attacker included a link to their blog where stolen data would be published if negotiations fail. What is the URL provided for communication and accessing the attacker’s chat?
Yea, đây có vẻ là câu hỏi khiến nhiều Defenders, trong đó có mình gặp vất vả. Việc khôi phục hay tìm kiếm các file ransomnote có vẻ không khả thi khi các file này đều rỗng. Nhờ chút hint đến từ #IR3k, tôi tìm kiếm các site rao báo dữ liệu, nạn nhân của Akira.
1
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
Bonus: Q10 còn có thể tìm được câu trả lời thông qua extract thủ công. Trước tiên hãy chạy strings.exe trong SysInternalSuite, sau đó load vào Notepad và tìm kiếm theo onion.