Boss Of The SOC v1 blue team ctf

Category : Threat Hunting

8407 Players

4.5 (754)

Medium

This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.

Weight : 50 | Solved : 6969

What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

Weight : 50 | Solved : 5897

What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")

Weight : 50 | Solved : 5706

What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)

Weight : 50 | Solved : 5611

What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").

Weight : 250 | Solved : 4194

This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?

Weight : 250 | Solved : 3969

What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Weight : 500 | Solved : 4022

Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?

Weight : 100 | Solved : 3412

What IP address is likely attempting a brute force password attack against imreallynotbatman.com?

Weight : 50 | Solved : 3857

Q10

What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")

Weight : 50 | Solved : 3469

Q11

What is the MD5 hash of the executable uploaded?

Weight : 250 | Solved : 3258

Q12

GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Weight : 500 | Solved : 2822

Q13

What is the special hex code associated with the customized malware discussed in question 12? (Hint: It's not in Splunk)

Weight : 1000 | Solved : 2691

Q14

One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.

Weight : 500 | Solved : 1759

Q15

What was the first brute force password used?

Weight : 250 | Solved : 2857

Q16

One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?

Weight : 250 | Solved : 2626

Q17

What was the correct password for admin access to the content management system running "imreallynotbatman.com"?

Weight : 1000 | Solved : 2632

Q18

What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")

Weight : 500 | Solved : 2604

Q19

How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.

Weight : 500 | Solved : 2237

Q20

How many unique passwords were attempted in the brute force attempt?

Weight : 500 | Solved : 2380

Q21

What was the most likely IP address of we8105desk in 24AUG2016?

Weight : 50 | Solved : 2423

Q22

Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

Weight : 50 | Solved : 2227

Q23

What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Weight : 250 | Solved : 2039

Q24

What was the first suspicious domain visited by we8105desk in 24AUG2016?

Weight : 500 | Solved : 2012

Q25

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

Weight : 500 | Solved : 1890

Q26

What is the name of the USB key inserted by Bob Smith?

Weight : 500 | Solved : 1937

Q27

Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

Weight : 50 | Solved : 1973

Q28

How many distinct PDFs did the ransomware encrypt on the remote file server?

Weight : 250 | Solved : 1838

Q29

The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?

Weight : 50 | Solved : 1832

Q30

The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?

Weight : 250 | Solved : 1763

Q31

The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?

Weight : 250 | Solved : 1755

Q32

Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?

Weight : 1000 | Solved : 1702

Instructions:

Virtualbox: unzip the VM (pass: cyberdefenders.org), start VM, and access Splunk from host machine via http://127.0.0.1:8000
VMware: login to the VM using vagrant/vagrant and grab the IP address of the VM using "IP address" command. Access Splunk from the host machine using the IP address assigned to the VM via http://x.x.x.x:8000
Challenge Files:
- bots1.ova (Memory: 4 GB, CPU: 2 Cores, Disk: 5.5 GB)

Scenario 1 (APT):

The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the soc analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.

In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference "P01s0n1vy." In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.

Scenario 2 (Ransomeware):

In the second scenario, one of your users is greeted by this image on a Windows desktop that is claiming that files on the system have been encrypted and payment must be made to get the files back. It appears that a machine has been infected with Cerber ransomware at Wayne Enterprises and your goal is to investigate the ransomware with an eye towards reconstructing the attack.

Here is a quick guide on how to get started with Splunk.

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

89719952101ffdf7ee577aaed9a5f6c98934b812
Password:

cyberdefenders.org
Size:

1.9 GiB
Published:

Aug. 3, 2020, midnight

First blood

cibermanchego

1113 days ago

Last solve

Mue

1 day ago

Authors

Boss Of The SOC v1 blue team ctf

Category : Threat Hunting

SIEM

Splunk

Threat Hunting

BossOfTheSOC