Tomcat Takeover

Info

• Category : Network Forensics
• SHA1SUM : 56cc3f2aed9beb326eec027ae5dc9971a37da57d
• Published : Sept. 15, 2023, 4 p.m.
• Author : Chadou
• Size : 459 KB
• Tags : Wireshark PCAP Tomcat Network NetworkMiner
• Password : cyberdefenders.org

Scenario

Our SOC team has detected suspicious activity on one of the web servers within the company’s intranet. In order to gain a deeper understanding of the situation, the team has captured network traffic for analysis. This pcap file potentially contains a series of malicious activities that have resulted in the compromise of the Apache Tomcat web server. We need to investigate this incident further.

Redline

Info

• Category : Digital Forensics
• SHA1SUM : 7c54f50cefed2e2a8947368c0de41bbb665fe483
• Published : June 2, 2023
• Author : Ahmed Tammam
• Size : 839 MB
• Tags : Volatility NIDS Network Intrusion Detection System

Uncompress the challenge (pass: cyberdefenders.org)

Scenario

As a member of the Security Blue team, your assignment is to analyze a memory dump using Redline and Volatility tools. Your goal is to trace the steps taken by the attacker on the compromised machine and determine how they managed to bypass the Network Intrusion Detection System “NIDS”. Your investigation will involve identifying the specific malware family employed in the attack, along with its characteristics. Additionally, your task is to identify and mitigate any traces or footprints left by the attacker.

Insider

Info

• Category : Digital Forensics
• SHA1SUM : d820264d825fdaeb2146bf7b4c4e03684e700007
• Published : May 25, 2021
• Author : Champlain College
• Size : 83 MB
• Tags : Disk Linux FTK Kali

Uncompress the challenge (pass: cyberdefenders.org)

Scenario

After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you as a soc analyst to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

Bucket

Info

• Category : Digital Forensics
• SHA1SUM : fb393619f09c8e9d7272f305329601645e5aa952
• Published : Dec. 7, 2021
• Author : Scott Piper
• Size : 356 Bytes
• Tags : AWS cloud IR ’log analysis'

Unzip the challenge (pass: cyberdefenders.org)

Instructions

Use the provided credentials to access AWS cloud trail logs and answer the questions.

Scenario

Welcome, Defender! As a soc analyst, we’re granting you access to the AWS account called “Security” as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the “Security” role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.

APT Style

Category : forensics

General description for the series

As CISO, you anticipate ~ belatedly ~ the migration of user workstations in your fleet to Windows 10.

To do this, you ask one of your collaborators to prepare an installation ISO and, given the importance of the harmlessness of this installation medium, you decide to test it. You observe strange behaviors on the newly installed machine… You then decide to dissect this ISO, in order to understand where these behaviors come from.

La gazette de Windows

Category : Intro - forensics

States

It seems that a user is running suspicious Powershell scripts on his machine. Fortunately this machine is logged and we were able to recover the Powershell event log. Find what was sent to the attacker.

SHA256(Microsoft-Windows-PowerShell%4Operational.evtx) = 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78

Solve

Check the integrity of the log file :

sha256sum Microsoft-Windows-PowerShell4Operational.evtx | grep 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78

770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78  Microsoft-Windows-PowerShell4Operational.evtx

We will use the evtx tool to parse the .evtx :