High Level Details:
Attacker 1: 40.80.148.42
Attacker 2: 23.22.63.114
CMS: Joomla
Site: imnotreallybatman.com
Site IP: 192.168.250.70
devname=gotham-fortigate
we8105desk 192.168.250.100 (Bob Smith)
Q1 - This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.
This is a simple one to start things off.
Answer: Splunk
Q2 - Web Defacement: What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
Q3 - Web Defacement: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
Q4 Web Defacement: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")
Q5 Web Defacement: What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
Q6 Web Defacement: What was the first brute force password used?
Q7 Web Defacement: What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")
Q8 Web Defacement: What is the MD5 hash of the executable uploaded?
Q9 Web Defacement: What was the correct password for admin access to the content management system running "imreallynotbatman"?
Q10 Web Defacement: What is the name of the file that defaced the imreallynotbatman website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").
This was a tough question, and we had to work on the understanding that the attacker has logged into this host and is operating internally. While no relevant file execution in local logs was helpful. I managed to build a query looking for signs of remote file execution over http with a GET request. I then looked at byte size and filtered further, as I wanted to start with the largest get request.
Index=* AND src_ip=192.168.250.70
AND sourcetype=suricata
AND "http.http_method"=GET
AND event_type=http
AND "http.url"="*"
Q11 Web Defacement: This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
Using the query from question 12 we can see that the hostname is resolved as the above, which is our answer.
Q12 Web Defacement: What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Q13 Web Defacement: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
Q14 Web Defacement: GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
Q15 Web Defacement: What is the special hex code associated with the customized malware discussed in the previous question? (Hint: It's not in Splunk)
Q16 Web Defacement: One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.
Q17 Web Defacement: One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?
Q18 Web Defacement: What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")
Q19Web Defacement: How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.
Q20 Web Defacement: How many unique passwords were attempted in the brute force attempt?
Q21 Ransomware: What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?
Q22 Ransomware: What was the most likely IP address of we8105desk in 24AUG2016?
Q23 Ransomware: Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)
Q24 Ransomware: The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?
Q25 Ransomware: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?
Q26 Ransomware: The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?
Q27 Ransomware: Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?
Q28 Ransomware: What is the name of the USB key inserted by Bob Smith?
Q29 Ransomware: Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?
Q30 Ransomware: How many distinct PDFs did the ransomware encrypt on the remote file server?
Q31 Ransomware: The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?
Q32 Ransomware: What was the first suspicious domain visited by we8105desk in 24AUG2016?
Comments