#1 |
What is the SHA256 hash value of the RAM image?
|
50 |
323
|
|
|
#2 |
What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)
|
50 |
282
|
|
|
#3 |
What volatility2 profile is the most appropriate for this machine. imageinfo will take a long try to figure another way to determine the profile? (ex: Win10x86_14393)
|
150 |
262
|
|
|
#4 |
What is the computer's name?
|
50 |
259
|
|
|
#5 |
What is the system IP address?
|
50 |
265
|
|
|
#6 |
How many established network connections were at the time of acquisition?
|
50 |
257
|
|
|
#7 |
What is the PID of explorer.exe?
|
50 |
267
|
|
|
#8 |
What is the title of the webpage the admin visited using IE?
|
50 |
235
|
|
|
#9 |
What company developed the program used for memory acquisition?
|
100 |
244
|
|
|
#10 |
What is the administrator user password?
|
100 |
204
|
|
|
#11 |
What is the version of the WebLogic server installed on the system?
|
150 |
201
|
|
|
#12 |
The admin set a port forward rule to redirect the traffic from the public port to the WebLogic admin portal port. What is the public and WebLogic admin portal port number? Format PublicPort:WebLogicPort (22:1337)
|
200 |
191
|
|
|
#13 |
The attacker gain access through WebLogic Server. What is the PID of the process responsible for the initial exploit?
|
150 |
205
|
|
|
#14 |
what is the PID of the next entry to the previous process? (Hint: ActiveProcessLinks list)
|
200 |
177
|
|
|
#15 |
How many threads does the process responsible for the initial exploit have?
|
150 |
189
|
|
|
#16 |
The attacker gain access to the system through the webserver. What is the CVE number of the vulnerability exploited?
|
200 |
161
|
|
|
#17 |
The attacker used the vulnerability he found in the webserver to execute a reverse shell command to his own server. Provide the IP and port of the attacker server? Format: IP:port
|
200 |
191
|
|
|
#18 |
multiple files were downloaded from the attacker's web server. Provide the Command used to download the PowerShell script used for persistence?
|
200 |
149
|
|
|
#19 |
What is the MITRE ID related to the persistence technique the attacker used?
|
200 |
149
|
|
|
#20 |
After maintaining persistence, the attacker dropped a cobalt strike beacon. Try to analyze it and provide the Publickey_MD5.
|
200 |
136
|
|
|
#21 |
What is the URL of the exfiltrated data?
|
150 |
145
|
|