CyberCorp Case 2 Blue Team Challenge
Category : Threat Hunting
-
Weight : 50 | Solved : 387 | Average Solve Time: 7 minutes
-
Weight : 100 | Solved : 336 | Average Solve Time: 43 minutes
-
Weight : 100 | Solved : 275 | Average Solve Time: 22 minutes
-
Weight : 150 | Solved : 242 | Average Solve Time: 18 minutes
-
Weight : 100 | Solved : 220 | Average Solve Time: 5 minutes
-
Weight : 100 | Solved : 187 | Average Solve Time: 17 minutes
-
Weight : 100 | Solved : 193 | Average Solve Time: 6 minutes
-
Weight : 100 | Solved : 179 | Average Solve Time: 10 minutes
-
Weight : 50 | Solved : 161 | Average Solve Time: 2 minutes
-
Weight : 50 | Solved : 155 | Average Solve Time: 15 minutes
-
Weight : 100 | Solved : 155 | Average Solve Time: 27 minutes
-
Weight : 100 | Solved : 151 | Average Solve Time: 11 minutes
Instructions:
- Unzip the VM (pass: cyberdefenders.org), import to VirtualBox, login to VM with (pass: cyberpolygon), and access kibana from the VM machine via http://127.0.0.1:5601
- Ensure to extend the "time period" of kibana to see the data.
Scenario
After a cybersecurity incident, CyberCorp's management decided to purchase and deploy EDR (Endpoint Detection and Response) solution. EDR agents were installed on all workstations and servers and forwarded telemetry to a centralized Threat Hunting platform.
The company has also hired a security blue team of highly qualified analysts to build a threat detection process using the Threat Hunting approach. You will have to try on the role of a threat hunter, who decided to verify the hypothesis about one of the attacker's persistence techniques.
Unfortunately, the hypothesis was confirmed, and a persistence technique was discovered on one host, which eventually became the starting point of the investigation.
By analyzing the EDR telemetry in the Threat Hunting platform, you will have to understand how the attacker compromised the network and what he managed to do with the obtained access.