CyberDefenders BlueTeam CTF Challenges | Boss Of The SOC v1

CyberDefenders: BlueTeam CTF Challenges | Boss Of The SOC v1

1. This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.

Answer: splunk

1. What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

index="botsv1" "imreallynotbatman.com" sourcetype=suricata event_type=alert

Answer: 40.80.148.42

1. What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”)

   index="botsv1" "imreallynotbatman.com" 40.80.148.42 sourcetype="stream:http"
   

Answer: Acunetix

1. What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)

[!NOTE] A content management system is computer software used to manage the creation and modification of digital content. A CMS is typically used for enterprise content management and web content management. (Content management system - Wikipedia)

Answer: joomla

1. What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).

I had a lot of trouble with this question. But one thing to pay attention to is that instead of we search in the usual way (dest_ip is the address of our website), here we need to do the opposite. If this is new knowledge, can you write it in your own notes?

Why do we need to do the opposite? That’s because the defaced action of the website is done after the attacker takes control of our server. And in more detail, it will be an action to download files from outside. So the query will originate from the outbound server.

index=botsv1 sourcetype="stream:http" src_ip="192.168.250.70"

Answer:  poisonivy-is-coming-for-you-batman.jpeg

1. This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?

Answer: prankglassinebracket.jumpingcrab.com

1. What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

index=botsv1 sourcetype="stream:http" src_ip="192.168.250.70" uri="/poisonivy-is-coming-for-you-batman.jpeg"

Answer:  23.22.63.114

1. Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?

Answer:  lillian.rose@po1s0n1vy.com

1. What IP address is likely attempting a brute force password attack against imreallynotbatman.com?

Since it’s a brute-force attack, it will involve mainly the http POST method. In addition, username and passwd are also attributes that should be included in the filter.

index=botsv1 sourcetype="stream:http" imreallynotbatman.com http_method=POST form_data=*username*passwd*
| table _time src_ip dest_ip form_data

Answer: 23.22.63.114

1. What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”)

index=botsv1 sourcetype="stream:http" imreallynotbatman.com

Answer: 3791.exe

1. What is the MD5 hash of the executable uploaded?

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation

Great, we have 76 events here. Somehow we have to filter and collapse the results. The first thing that came to my attention was the EventID, and EventID 1 is a very nice compact step. According to Microsoft Sysmon, EventID=1 means creating a process. That means when the file is uploaded to the server, launching it will create a new process. Finally, filtering the results by CommandLine=”3791.exe” will give the final result.

Asnwer: AAE3F5A29935E6ABCC2C2754D12A9AF0

1. GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Host: 23.22.63.114 | ThreatMiner.org

Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

1. What is the special hex code associated with the customized malware discussed in question 12? (Hint: It’s not in Splunk)

VirusTotal - File - 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

Answer:  53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21

1. One of Po1s0n1vy’s staged domains has some disjointed “unique” whois information. Concatenate the two codes together and submit them as a single answer. Whois History API demo by Whoxy.com

1. What was the first brute force password used?

index=botsv1 http_method=POST form_data=*username*passwd* 
| table _time src_ip dest_ip form_data
| sort -_time | reverse

Answer: 12345678

1. One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?

Answer: yellow

1. What was the correct password for admin access to the content management system running “imreallynotbatman.com”?

index="botsv1" sourcetype="stream:http" http_method=POST form_data=*username*passwd*
| rex field=form_data "passwd=(?<passwd>\w+)"
| stats count by passwd 
| sort - count

Answer: batman

1. What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example “5” not “5.23213”)

index="botsv1" sourcetype="stream:http" http_method=POST form_data=*username*passwd*
| rex field=form_data "passwd=(?<passwd>\w+)"
| stats count by passwd 
| sort - count

Answer: 6

1. How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.

index="botsv1" sourcetype="stream:http" http_method=POST form_data=*username*passwd*
| rex field=form_data "passwd=(?<passwd>\w+)" 
| search passwd=batman
| transaction passwd
| table duration

index="botsv1" sourcetype="stream:http" http_method=POST form_data=*username*passwd*
| rex field=form_data "passwd=(?<passwd>\w+)" 
| search passwd=batman 
| delta _time AS timeDeltaS 
| eval timeDeltaS=abs(timeDeltaS)
| stats sum(timeDeltaS) AS sumtime

Answer: 92.17

1. How many unique passwords were attempted in the brute force attempt?

index="botsv1" sourcetype="stream:http" http_method=POST form_data=*username*passwd*
| rex field=form_data "passwd=(?<passwd>\w+)" 
| stats dc(passwd)

Answer: 412

1. What was the most likely IP address of we8105desk in 24AUG2016?

index="botsv1"  we8105desk

Answer: 192.168.250.100

1. Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

index="botsv1" sourcetype="suricata" cerber

Answer: 2816763

1. What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

In the “Challenge Details” tab

index="botsv1" cerberhhyed5frqa.xmfir0.win 192.168.250.100

Answer: cerberhhyed5frqa[.]xmfir0[.]win

1. What was the first suspicious domain visited by we8105desk in 24AUG2016?

IOCs/cerber.ioc at master · jasonmiacono/IOCs

index="botsv1" src_ip="192.168.250.100" sourcetype="stream:dns" Solidaritedeproximite.org
| sort - _time 
| reverse

Answer: Solidaritedeproximite.org

1. During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

index="botsv1" vbs source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
| table CommandLine
| eval length=len(CommandLine)

Answer: 4490

1. What is the name of the USB key inserted by Bob Smith?

USB device registry entries - Windows drivers | Microsoft Learn Finding USB and Removable Media Detection - Splunk Community

Answer: MIRANDA_PRI

1. Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

index=botsv1 we8105desk sourcetype="stream:smb" "command{}"="smb2 session setup"

Answer: 192.168.250.20

1. How many distinct PDFs did the ransomware encrypt on the remote file server?

index=botsv1 pdf Source_Address="192.168.250.100"
| stats dc(Relative_Target_Name)

index=botsv1 *.pdf
| regex Relative_Target_Name=".pdf$"
| stats dc(Relative_Target_Name)

Answer: 257

1. The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?

index=botsv1 vbs source="WinEventLog:Microsoft-Windows-Sysmon/Operational" 121214.tmp

Answer: 3968

1. The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?

index=botsv1 *.txt sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" file_path="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt"
| stats dc(file_path)

Answer: 406

1. The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?

index=botsv1 sourcetype="suricata" src=192.168.250.100 event_type=http  solidaritedeproximite.org

Answer: mhtr.jpg

1. Now that you know the name of the ransomware’s encryptor file, what obfuscation technique does it likely use?

Answer: steganography