Hafinum-APT blue team ctf

What was the full URL that Windows Defender blocked an archive from being downloaded?

What was the full command used by the attacker to successfully download the archive?

Which user account was the attacker using when the archive was successfully downloaded to the host?

What command was used by the attacker on the host to try and disable Windows Defender via the command line?

Provide the date and time when Windows Defender's real-time protection was disabled. (24H-UTC)

Which version of ProcDump did the attacker run on the host?

Where is the executable located on the disk that was targeted by Procdump to dump its process memory?

What was the location of the dump file created from the process dumped with Procdump?

Provide the SHA256 hash value of the Teamviewer installation to check if the legitimate version was installed.

What was the domain looked up in the first DNS query done by the TeamViewer application after it was installed?

Determine how the attacker gained access to the Administrator account.

What IP address can we send to the Firewall team for blocking?

What was the hostname from where the attacker launched their attack?

Provide the first timestamp from the logs where you can see the attacker was successful login. (24H-UTC)

Provide the data in UTC time of when the attacker successfully logged into the host using RDP for the first time. (24H-UTC)

When did the attacker log off from the first RDP session? (24H-UTC)

What command did the attacker run on the host which would've helped him understand what Antivirus software was running on the system?

Which command did the attacker run on the host that would have helped him understand the network interface configuration of the host?

What was the name of the user account added by the attacker?

Based on information from the public, the first visual signs of raw sewage spilling into the river from the plant were around 14:00 local time on March 12th, 2021. According to the plant technicians, it would take at least 45 minutes for the plant to excrete sewage into the river once the backwash mode was activated. A file was created on the system that matches the above timelines and, based on its content, could likely have been used by the attackers to initiate the plant backwash. What was the name of this file?

Which application was responsible for downloading the malicious file to the host?

From which website was this malicious file downloaded?

After this file was downloaded, the attacker appeared to have moved it to another directory on the host. What was the new path of the file?

Based on the available logs, there are limited indications that the downloaded malicious file was executed on the host. Provide the earliest timestamp which shows proof of the file being executed on the host. (24H-UTC)

What command contained in the malicious file, if successfully run on the host, would you expect to have initiated the plant’s backwash mode

Prior to switching to a manual override, the technicians attempted to open the modified Simba plant simulation software application in order to stop the backwash sequence. However, they could not get the application to launch. What command from the attacker's script would have rendered the application unusable?