Hunter blue team ctf

Category : Digital Forensics

1473 Players

4.5 (117)

Medium

What is the computer name of the suspect machine?

Weight : 25 | Solved : 814

What is the computer IP?

Weight : 25 | Solved : 760

What was the DHCP LeaseObtainedTime?

Weight : 25 | Solved : 631

What is the computer SID?

Weight : 50 | Solved : 674

What is the Operating System(OS) version?

Weight : 50 | Solved : 706

What was the computer timezone?

Weight : 50 | Solved : 632

How many times did this user log on to the computer?

Weight : 50 | Solved : 673

When was the last login time for the discovered account? Format: one-space between date and time

Weight : 50 | Solved : 611

There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC

Weight : 75 | Solved : 517

Q10

When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)

Weight : 75 | Solved : 530

Q11

How many ports were scanned?

Weight : 75 | Solved : 588

Q12

What ports were found "open"?(comma-separated, ascending)

Weight : 75 | Solved : 579

Q13

What was the version of the network scanner running on this computer?

Weight : 100 | Solved : 604

Q14

The employee engaged in a Skype conversation with someone. What is the skype username of the other party?

Weight : 75 | Solved : 570

Q15

What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?

Weight : 100 | Solved : 544

Q16

What is the Gmail email address of the suspect employee?

Weight : 100 | Solved : 581

Q17

It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?

Weight : 100 | Solved : 519

Q18

The user Documents' directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?

Weight : 100 | Solved : 563

Q19

What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)

Weight : 150 | Solved : 441

Q20

What are the serial numbers of the two identified USB storage?

Weight : 150 | Solved : 526

Q21

One of the installed applications is a file shredder. What is the name of the application? (two words space separated)

Weight : 150 | Solved : 489

Q22

How many prefetch files were discovered on the system?

Weight : 150 | Solved : 481

Q23

How many times was the file shredder application executed?

Weight : 150 | Solved : 504

Q24

Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?

Weight : 150 | Solved : 480

Q25

A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?

Weight : 150 | Solved : 477

Q26

The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?

Weight : 150 | Solved : 499

Q27

Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?

Weight : 150 | Solved : 480

Q28

The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?

Weight : 200 | Solved : 481

Q29

Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?

Weight : 200 | Solved : 486

Q30

Using JUMP LIST analysis, provide the full path of the application with the AppID of "aa28770954eaeaaa" used to bypass network security monitoring controls.

Weight : 200 | Solved : 478

Instructions:

Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions.

Case Overview:
The SOC team got an alert regarding some illegal port scanning activity coming from an employee's system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user's system to perform some investigations.

There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!

It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!

Your objective as a soc analyst is to analyze the image and to either confirm or deny this theory.

Supportive Tools:

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

88a22f6ad6d140c9151e6983b894c6eb6c64735d
Password:

cyberdefenders.org
Size:

595 MB
Published:

Oct. 5, 2020, midnight

First blood

wlancer

965 days ago

Last solve

ozer0x777

today

Authors

Hunter blue team ctf

Category : Digital Forensics

Windows

Disk

Registry