Scenario 1 (APT):

The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.

In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference "P01s0n1vy." In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.





Scenario 2 (Ransomeware):

In the second scenario, one of your users is greeted by this image on a Windows desktop that is claiming that files on the system have been encrypted and payment must be made to get the files back. It appears that a machine has been infected with Cerber ransomware at Wayne Enterprises and your goal is to investigate the ransomware with an eye towards reconstructing the attack. 



Here is a quick guide on how to get started with Splunk.

# Question Weight Solved
1 This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation. 50 1269

2 What is the likely IP address of someone from the Po1s0n1vy group scanning for web application vulnerabilities? 50 1034

3 What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example "Microsoft" or "Oracle") 50 999

4 What content management system is likely using?(Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.) 50 986

5 What is the name of the file that defaced the website? Please submit only the name of the file with extension (For example "notepad.exe" or "favicon.ico"). 250 594

6 This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack? 250 553

7 What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises? 500 596

8 Based on the data gathered from this attack and common open source intelligence sources for domain names, what is the email address that is most likely associated with Po1s0n1vy APT group? 100 448

9 What IP address is likely attempting a brute force password attack against 50 602

10 What is the name of the executable uploaded by Po1s0n1vy? Please include file extension. (For example, "notepad.exe" or "favicon.ico") 50 467

11 What is the MD5 hash of the executable uploaded? 250 436

12 GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vys initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware. 500 338

13 What special hex code is associated with the customized malware discussed in question 12? (Hint: It's not in Splunk) 1000 320

14 One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit as a single answer. 500 33

15 What was the first brute force password used? 250 388

16 One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six character word on this one. Which is it? 250 355

17 What was the correct password for admin access to the content management system running ""? 1000 355

18 What was the average password length used in the password brute forcing attempt? (Round to closest whole integer. For example "5" not "5.23213") 500 372

19 How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places. 500 271

20 How many unique passwords were attempted in the brute force attempt? 500 303

21 What was the most likely IP address of we8105desk on 24AUG2016? 50 350

22 Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.) 50 277

23 What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase? 250 233

24 What was the first suspicious domain visited by we8105desk on 24AUG2016? 500 228

25 During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field? 500 210

26 What is the name of the USB key inserted by Bob Smith? 500 224

27 Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server? 50 253

28 How many distinct PDFs did the ransomware encrypt on the remote file server? 250 207

29 The VBscript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch? 50 217

30 The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt? 250 193

31 The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file? 250 193

32 Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use? 1000 172