Gh0stNet Intrusion

Gh0stNet Intrusion is a blue team lab that falls under the Threat Hunting, Endpoint Forensics categories and will cover the following subjects: CyberChef, Wireshark, Registry Explorer, FLOSS/Strings, Splunk, IDA, Ghidra, CFF Explorer, FTK Imager, PECmd, Registry Explorer/RECmd, pe-sieve, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Collection, Command and Control, Exfiltration.

Learning Objectives

Synthesize forensic evidence from disk images, PCAP, and Splunk logs to reconstruct a Gh0stNet intrusion, identifying C2, persistence, and data exfiltration via DNS tunneling.

Categories: Threat Hunting, Endpoint Forensics.

MITRE ATT&CK Tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Collection, Command and Control, Exfiltration.

Tools: pe-sieve, Wireshark, Registry Explorer, FLOSS/Strings, Splunk, CyberChef, Ghidra, CFF Explorer, FTK Imager, PECmd, Registry Explorer/RECmd, IDA.

Difficulty: medium.