Gh0stNet Intrusion
Gh0stNet Intrusion is a blue team lab that falls under the Threat Hunting, Endpoint Forensics categories and will cover the following subjects: CyberChef, Wireshark, Registry Explorer, FLOSS/Strings, Splunk, IDA, Ghidra, CFF Explorer, FTK Imager, PECmd, Registry Explorer/RECmd, pe-sieve, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Collection, Command and Control, Exfiltration.
Learning Objectives
Synthesize forensic evidence from disk images, PCAP, and Splunk logs to reconstruct a Gh0stNet intrusion, identifying C2, persistence, and data exfiltration via DNS tunneling.
Categories: Threat Hunting, Endpoint Forensics.
MITRE ATT&CK Tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Collection, Command and Control, Exfiltration.
Tools: pe-sieve, Wireshark, Registry Explorer, FLOSS/Strings, Splunk, CyberChef, Ghidra, CFF Explorer, FTK Imager, PECmd, Registry Explorer/RECmd, IDA.
Difficulty: medium.