#1 |
What is the SHA256 hash value of the RAM image?
|
50 |
263
|
|
|
#2 |
What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
|
50 |
223
|
|
|
#3 |
What volatility2 profile is the most appropriate for this machine. imageinfo will take a long try to figure another way to determine the profile? (ex: Win10x86_14393)
|
150 |
213
|
|
|
#4 |
What is the computer's name?
|
50 |
209
|
|
|
#5 |
What is the system IP address?
|
50 |
210
|
|
|
#6 |
How many established network connections were at the time of acquisition?
|
50 |
202
|
|
|
#7 |
What is the PID of explorer.exe?
|
50 |
211
|
|
|
#8 |
What is the title of the webpage the admin visited using IE?
|
50 |
192
|
|
|
#9 |
What company developed the program used for memory acquisition?
|
100 |
195
|
|
|
#10 |
What is the administrator user password?
|
100 |
162
|
|
|
#11 |
What is the version of the WebLogic server installed on the system?
|
150 |
161
|
|
|
#12 |
The admin set a port forward rule to redirect the traffic from the public port to the WebLogic admin portal port. What is the public and WebLogic admin portal port number? Format PublicPort:WebLogicPort (22:1337)
|
200 |
151
|
|
|
#13 |
The attacker gain access through WebLogic Server. What is the PID of the process responsible for the initial exploit?
|
150 |
165
|
|
|
#14 |
what is the PID of the next entry to the previous process? (Hint: ActiveProcessLinks list)
|
200 |
141
|
|
|
#15 |
How many threads does the process responsible for the initial exploit have?
|
150 |
150
|
|
|
#16 |
The attacker gain access to the system through the webserver. What is the CVE number of the vulnerability exploited?
|
200 |
127
|
|
|
#17 |
The attacker used the vulnerability he found in the webserver to execute a reverse shell command to his own server. Provide the IP and port of the attacker server? Format: IP:port
|
200 |
152
|
|
|
#18 |
multiple files were downloaded from the attacker's web server. Provide the Command used to download the PowerShell script used for persistence?
|
200 |
115
|
|
|
#19 |
What is the MITRE ID related to the persistence technique the attacker used?
|
200 |
114
|
|
|
#20 |
After maintaining persistence, the attacker dropped a cobalt strike beacon. Try to analyze it and provide the Publickey_MD5.
|
200 |
105
|
|
|
#21 |
What is the URL of the exfiltrated data?
|
150 |
113
|
|